我目前有此政策 (HCL)
data "aws_caller_identity" "current" {}
data "aws_iam_policy_document" "admin_policy_doc" {
statement {
sid = "DenyAccessToModifySelf"
effect = "Deny"
actions = [
"iam:AddUserToGroup",
"iam:AttachUserPolicy"
]
resources = [
"arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/&{aws:username}",
]
}
statement {
sid = "AllowIAMControl"
effect = "Allow"
actions = ["iam:*"]
resources = ["*"]
}
}
这样做的目的是让管理员能够更新其他人的权限,而无需更新自己的权限,以符合职责分离和最小特权。不过,似乎使用权限相关资源的AddUserToGroup是组,而不是用户。因此,如果用户拥有此权限,她仍然可以将自己添加到更具特权的组中。
我也尝试过使用如下条件:
{
"Sid": "DenyAccessToAddSelfToGroup",
"Effect": "Deny",
"Action": [
"iam:AddUserToGroup"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:username": [
"${aws:username}"
]
}
}
}
但没用。这只是一个全局条件,不允许添加全部用户分组,这不是我想要的。有人找到解决方案吗?