AWS-IAM - 如何结合特定区域的特定访问权限和一些资源标签

AWS-IAM - 如何结合特定区域的特定访问权限和一些资源标签

您好,我正在尝试使用 IAM 策略合并用户的一些权限访问:

  • 仅限一个区域的完全访问权限(即:ap-east-1)
  • 对另一个区域的只读访问(即:us-east-1)
  • 仅对(即:us-east-1)区域具有以下标记的写访问权:abj:owner=xxxxx

我不知道我做得对不对,但前 2 个要点已经完成。我仍在尝试寻找如何实现第 3 个要点...

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "AllowFullAccessToOneSpecificRegion",
        "Effect": "Allow",
        "Action": "*",
        "Resource": "*",
        "Condition": {
            "StringEquals": {
                "aws:RequestedRegion": "ap-east-1"
            }
        }
    },
    {
        "Sid": "AllowReadOnlyAccessToOneSpecificRegion",
        "Action": [
            "a4b:Get*",
            "a4b:List*",
            "a4b:Search*",
            "access-analyzer:GetAnalyzedResource",
            "access-analyzer:GetAnalyzer",
            "access-analyzer:GetArchiveRule",
            "access-analyzer:GetFinding",
            "access-analyzer:ListAnalyzedResources",
            "access-analyzer:ListAnalyzers",
            "access-analyzer:ListArchiveRules",
            "access-analyzer:ListFindings",
            "access-analyzer:ListTagsForResource",
            "acm:Describe*",
            "acm:Get*",
            "acm:List*",
            "acm-pca:Describe*",
            "acm-pca:Get*",
            "acm-pca:List*",
            "amplify:GetApp",
            "amplify:GetBranch",
            "amplify:GetJob",
            "amplify:GetDomainAssociation",
            "amplify:ListApps",
            "amplify:ListBranches",
            "amplify:ListDomainAssociations",
            "amplify:ListJobs",
            "apigateway:GET",
            "application-autoscaling:Describe*",
            "applicationinsights:Describe*",
            "applicationinsights:List*",
            "appmesh:Describe*",
            "appmesh:List*",
            "appstream:Describe*",
            "appstream:Get*",
            "appstream:List*",
            "appsync:Get*",
            "appsync:List*",
            "autoscaling:Describe*",
            "autoscaling-plans:Describe*",
            "autoscaling-plans:GetScalingPlanResourceForecastData",
            "athena:List*",
            "athena:Batch*",
            "athena:Get*",
            "aws-portal:View*",
            "backup:Describe*",
            "backup:Get*",
            "backup:List*",
            "batch:List*",
            "batch:Describe*",
            "braket:GetDevice",
            "braket:GetQuantumTask",
            "braket:SearchDevices",
            "braket:SearchQuantumTasks",
            "budgets:Describe*",
            "budgets:View*",
            "cassandra:Select",
            "chatbot:Describe*",
            "chatbot:Get*",
            "chime:Get*",
            "chime:List*",
            "chime:Retrieve*",
            "chime:Search*",
            "chime:Validate*",
            "cloud9:Describe*",
            "cloud9:List*",
            "clouddirectory:List*",
            "clouddirectory:BatchRead",
            "clouddirectory:Get*",
            "clouddirectory:LookupPolicy",
            "cloudformation:Describe*",
            "cloudformation:Detect*",
            "cloudformation:Get*",
            "cloudformation:List*",
            "cloudformation:Estimate*",
            "cloudfront:Get*",
            "cloudfront:List*",
            "cloudhsm:List*",
            "cloudhsm:Describe*",
            "cloudhsm:Get*",
            "cloudsearch:Describe*",
            "cloudsearch:List*",
            "cloudtrail:Describe*",
            "cloudtrail:Get*",
            "cloudtrail:List*",
            "cloudtrail:LookupEvents",
            "cloudwatch:Describe*",
            "cloudwatch:Get*",
            "cloudwatch:List*",
            "codeartifact:DescribeDomain",
            "codeartifact:DescribePackageVersion",
            "codeartifact:DescribeRepository",
            "codeartifact:GetAuthorizationToken",
            "codeartifact:GetDomainPermissionsPolicy",
            "codeartifact:GetPackageVersionAsset",
            "codeartifact:GetPackageVersionReadme",
            "codeartifact:GetRepositoryEndpoint",
            "codeartifact:GetRepositoryPermissionsPolicy",
            "codeartifact:ListDomains",
            "codeartifact:ListPackages",
            "codeartifact:ListPackageVersionAssets",
            "codeartifact:ListPackageVersionDependencies",
            "codeartifact:ListPackageVersions",
            "codeartifact:ListRepositories",
            "codeartifact:ListRepositoriesInDomain",
            "codebuild:BatchGet*",
            "codebuild:DescribeCodeCoverages",
            "codebuild:DescribeTestCases",
            "codebuild:List*",
            "codecommit:BatchGet*",
            "codecommit:Describe*",
            "codecommit:Get*",
            "codecommit:GitPull",
            "codecommit:List*",
            "codedeploy:BatchGet*",
            "codedeploy:Get*",
            "codedeploy:List*",
            "codeguru-profiler:Describe*",
            "codeguru-profiler:Get*",
            "codeguru-profiler:List*",
            "codeguru-reviewer:Describe*",
            "codeguru-reviewer:Get*",
            "codeguru-reviewer:List*",
            "codepipeline:List*",
            "codepipeline:Get*",
            "codestar:List*",
            "codestar:Describe*",
            "codestar:Get*",
            "codestar:Verify*",
            "codestar-notifications:describeNotificationRule",
            "codestar-notifications:listEventTypes",
            "codestar-notifications:listNotificationRules",
            "codestar-notifications:listTagsForResource",
            "codestar-notifications:ListTargets",
            "compute-optimizer:DescribeRecommendationExportJobs",
            "compute-optimizer:GetAutoScalingGroupRecommendations",
            "compute-optimizer:GetEBSVolumeRecommendations",
            "compute-optimizer:GetEC2InstanceRecommendations",
            "compute-optimizer:GetEC2RecommendationProjectedMetrics",
            "compute-optimizer:GetEnrollmentStatus",
            "compute-optimizer:GetLambdaFunctionRecommendations",
            "compute-optimizer:GetRecommendationSummaries",
            "cognito-identity:Describe*",
            "cognito-identity:GetCredentialsForIdentity",
            "cognito-identity:GetIdentityPoolRoles",
            "cognito-identity:GetOpenIdToken",
            "cognito-identity:GetOpenIdTokenForDeveloperIdentity",
            "cognito-identity:List*",
            "cognito-identity:Lookup*",
            "cognito-sync:List*",
            "cognito-sync:Describe*",
            "cognito-sync:Get*",
            "cognito-sync:QueryRecords",
            "cognito-idp:AdminGet*",
            "cognito-idp:AdminList*",
            "cognito-idp:List*",
            "cognito-idp:Describe*",
            "cognito-idp:Get*",
            "config:Deliver*",
            "config:Describe*",
            "config:Get*",
            "config:List*",
            "config:SelectResourceConfig",
            "connect:List*",
            "connect:Describe*",
            "connect:GetFederationToken",
            "dataexchange:Get*",
            "dataexchange:List*",
            "datasync:Describe*",
            "datasync:List*",
            "datapipeline:Describe*",
            "datapipeline:EvaluateExpression",
            "datapipeline:Get*",
            "datapipeline:List*",
            "datapipeline:QueryObjects",
            "datapipeline:Validate*",
            "dax:BatchGetItem",
            "dax:Describe*",
            "dax:GetItem",
            "dax:ListTags",
            "dax:Query",
            "dax:Scan",
            "deepcomposer:GetComposition",
            "deepcomposer:GetModel",
            "deepcomposer:GetSampleModel",
            "deepcomposer:ListCompositions",
            "deepcomposer:ListModels",
            "deepcomposer:ListSampleModels",
            "deepcomposer:ListTrainingTopics",
            "detective:Get*",
            "detective:List*",
            "devicefarm:List*",
            "devicefarm:Get*",
            "devops-guru:DescribeAccountHealth",
            "devops-guru:DescribeAccountOverview",
            "devops-guru:DescribeAnomaly",
            "devops-guru:DescribeInsight",
            "devops-guru:DescribeResourceCollectionHealth",
            "devops-guru:DescribeServiceIntegration",
            "devops-guru:GetResourceCollection",
            "devops-guru:ListAnomaliesForInsight",
            "devops-guru:ListEvents",
            "devops-guru:ListInsights",
            "devops-guru:ListNotificationChannels",
            "devops-guru:ListRecommendations",
            "devops-guru:SearchInsights",
            "directconnect:Describe*",
            "discovery:Describe*",
            "discovery:List*",
            "discovery:Get*",
            "dlm:Get*",
            "dms:Describe*",
            "dms:List*",
            "dms:Test*",
            "ds:Check*",
            "ds:Describe*",
            "ds:Get*",
            "ds:List*",
            "ds:Verify*",
            "dynamodb:BatchGet*",
            "dynamodb:Describe*",
            "dynamodb:Get*",
            "dynamodb:List*",
            "dynamodb:Query",
            "dynamodb:Scan",
            "ec2:Describe*",
            "ec2:Get*",
            "ec2:SearchTransitGatewayRoutes",
            "ec2messages:Get*",
            "ecr:BatchCheck*",
            "ecr:BatchGet*",
            "ecr:Describe*",
            "ecr:Get*",
            "ecr:List*",
            "ecs:Describe*",
            "ecs:List*",
            "eks:Describe*",
            "eks:List*",
            "elasticache:Describe*",
            "elasticache:List*",
            "elasticbeanstalk:Check*",
            "elasticbeanstalk:Describe*",
            "elasticbeanstalk:List*",
            "elasticbeanstalk:Request*",
            "elasticbeanstalk:Retrieve*",
            "elasticbeanstalk:Validate*",
            "elasticfilesystem:Describe*",
            "elasticloadbalancing:Describe*",
            "elasticmapreduce:Describe*",
            "elasticmapreduce:GetBlockPublicAccessConfiguration",
            "elasticmapreduce:List*",
            "elasticmapreduce:View*",
            "elastictranscoder:List*",
            "elastictranscoder:Read*",
            "elemental-appliances-software:Get*",
            "elemental-appliances-software:List*",
            "es:Describe*",
            "es:List*",
            "es:Get*",
            "es:ESHttpGet",
            "es:ESHttpHead",
            "events:Describe*",
            "events:List*",
            "events:Test*",
            "firehose:Describe*",
            "firehose:List*",
            "fsx:Describe*",
            "fsx:List*",
            "freertos:Describe*",
            "freertos:List*",
            "gamelift:List*",
            "gamelift:Get*",
            "gamelift:Describe*",
            "gamelift:RequestUploadCredentials",
            "gamelift:ResolveAlias",
            "gamelift:Search*",
            "glacier:List*",
            "glacier:Describe*",
            "glacier:Get*",
            "globalaccelerator:Describe*",
            "globalaccelerator:List*",
            "glue:BatchGetDevEndpoints",
            "glue:BatchGetJobs",
            "glue:BatchGetPartition",
            "glue:BatchGetTriggers",
            "glue:BatchGetWorkflows",
            "glue:GetCatalogImportStatus",
            "glue:GetClassifier",
            "glue:GetClassifiers",
            "glue:GetCrawler",
            "glue:GetCrawlers",
            "glue:GetCrawlerMetrics",
            "glue:GetDatabase",
            "glue:GetDatabases",
            "glue:GetDataCatalogEncryptionSettings",
            "glue:GetDataflowGraph",
            "glue:GetDevEndpoint",
            "glue:GetDevEndpoints",
            "glue:GetJob",
            "glue:GetJobBookmark",
            "glue:GetJobs",
            "glue:GetJobRun",
            "glue:GetJobRuns",
            "glue:GetMapping",
            "glue:GetMLTaskRun",
            "glue:GetMLTaskRuns",
            "glue:GetMLTransform",
            "glue:GetMLTransforms",
            "glue:GetPartition",
            "glue:GetPartitions",
            "glue:GetPlan",
            "glue:GetResourcePolicy",
            "glue:GetSecurityConfiguration",
            "glue:GetSecurityConfigurations",
            "glue:GetTable",
            "glue:GetTables",
            "glue:GetTableVersion",
            "glue:GetTableVersions",
            "glue:GetTags",
            "glue:GetTrigger",
            "glue:GetTriggers",
            "glue:GetUserDefinedFunction",
            "glue:GetUserDefinedFunctions",
            "glue:GetWorkflow",
            "glue:GetWorkflowRun",
            "glue:GetWorkflowRunProperties",
            "glue:GetWorkflowRuns",
            "glue:ListCrawlers",
            "glue:ListDevEndpoints",
            "glue:ListJobs",
            "glue:ListMLTransforms",
            "glue:ListTriggers",
            "glue:ListWorkflows",
            "greengrass:Get*",
            "greengrass:List*",
            "guardduty:Get*",
            "guardduty:List*",
            "health:Describe*",
            "iam:Generate*",
            "iam:Get*",
            "iam:List*",
            "iam:Simulate*",
            "imagebuilder:Get*",
            "imagebuilder:List*",
            "importexport:Get*",
            "importexport:List*",
            "inspector:Describe*",
            "inspector:Get*",
            "inspector:List*",
            "inspector:Preview*",
            "iot:Describe*",
            "iot:Get*",
            "iot:List*",
            "iotanalytics:Describe*",
            "iotanalytics:List*",
            "iotanalytics:Get*",
            "iotanalytics:SampleChannelData",
            "iotsitewise:Describe*",
            "iotsitewise:Get*",
            "iotsitewise:List*",
            "iotwireless:GetDestination",
            "iotwireless:GetDeviceProfile",
            "iotwireless:GetPartnerAccount",
            "iotwireless:GetServiceEndpoint",
            "iotwireless:GetServiceProfile",
            "iotwireless:GetWirelessDevice",
            "iotwireless:GetWirelessDeviceStatistics",
            "iotwireless:GetWirelessGateway",
            "iotwireless:GetWirelessGatewayCertificate",
            "iotwireless:GetWirelessGatewayFirmwareInformation",
            "iotwireless:GetWirelessGatewayStatistics",
            "iotwireless:GetWirelessGatewayTask",
            "iotwireless:GetWirelessGatewayTaskDefinition",
            "iotwireless:ListDestinations",
            "iotwireless:ListDeviceProfiles",
            "iotwireless:ListPartnerAccounts",
            "iotwireless:ListServiceProfiles",
            "iotwireless:ListTagsForResource",
            "iotwireless:ListWirelessDevices",
            "iotwireless:ListWirelessGateways",
            "iotwireless:ListWirelessGatewayTaskDefinitions",
            "kafka:Describe*",
            "kafka:List*",
            "kafka:Get*",
            "kendra:DescribeDataSource",
            "kendra:DescribeFaq",
            "kendra:DescribeIndex",
            "kendra:DescribeThesaurus",
            "kendra:ListDataSources",
            "kendra:ListDataSourceSyncJobs",
            "kendra:ListFaqs",
            "kendra:ListIndices",
            "kendra:ListTagsForResource",
            "kendra:ListThesauri",
            "kendra:Query",
            "kinesisanalytics:Describe*",
            "kinesisanalytics:Discover*",
            "kinesisanalytics:Get*",
            "kinesisanalytics:List*",
            "kinesisvideo:Describe*",
            "kinesisvideo:Get*",
            "kinesisvideo:List*",
            "kinesis:Describe*",
            "kinesis:Get*",
            "kinesis:List*",
            "kms:Describe*",
            "kms:Get*",
            "kms:List*",
            "lambda:List*",
            "lambda:Get*",
            "lex:Get*",
            "license-manager:Get*",
            "license-manager:List*",
            "lightsail:GetActiveNames",
            "lightsail:GetBlueprints",
            "lightsail:GetBundles",
            "lightsail:GetCloudFormationStackRecords",
            "lightsail:GetDisk",
            "lightsail:GetDisks",
            "lightsail:GetDiskSnapshot",
            "lightsail:GetDiskSnapshots",
            "lightsail:GetDomain",
            "lightsail:GetDomains",
            "lightsail:GetExportSnapshotRecords",
            "lightsail:GetInstance",
            "lightsail:GetInstanceMetricData",
            "lightsail:GetInstancePortStates",
            "lightsail:GetInstances",
            "lightsail:GetInstanceSnapshot",
            "lightsail:GetInstanceSnapshots",
            "lightsail:GetInstanceState",
            "lightsail:GetKeyPair",
            "lightsail:GetKeyPairs",
            "lightsail:GetLoadBalancer",
            "lightsail:GetLoadBalancerMetricData",
            "lightsail:GetLoadBalancers",
            "lightsail:GetLoadBalancerTlsCertificates",
            "lightsail:GetOperation",
            "lightsail:GetOperations",
            "lightsail:GetOperationsForResource",
            "lightsail:GetRegions",
            "lightsail:GetRelationalDatabase",
            "lightsail:GetRelationalDatabaseBlueprints",
            "lightsail:GetRelationalDatabaseBundles",
            "lightsail:GetRelationalDatabaseEvents",
            "lightsail:GetRelationalDatabaseLogEvents",
            "lightsail:GetRelationalDatabaseLogStreams",
            "lightsail:GetRelationalDatabaseMetricData",
            "lightsail:GetRelationalDatabaseParameters",
            "lightsail:GetRelationalDatabases",
            "lightsail:GetRelationalDatabaseSnapshot",
            "lightsail:GetRelationalDatabaseSnapshots",
            "lightsail:GetStaticIp",
            "lightsail:GetStaticIps",
            "lightsail:Is*",
            "logs:Describe*",
            "logs:Get*",
            "logs:FilterLogEvents",
            "logs:ListTagsLogGroup",
            "logs:StartQuery",
            "logs:StopQuery",
            "logs:TestMetricFilter",
            "machinelearning:Describe*",
            "machinelearning:Get*",
            "mediaconvert:DescribeEndpoints",
            "mediaconvert:Get*",
            "mediaconvert:List*",
            "mediapackage:List*",
            "mediapackage:Describe*",
            "mgh:Describe*",
            "mgh:GetHomeRegion",
            "mgh:List*",
            "mobileanalytics:Get*",
            "mobilehub:Describe*",
            "mobilehub:Export*",
            "mobilehub:Generate*",
            "mobilehub:Get*",
            "mobilehub:List*",
            "mobilehub:Validate*",
            "mobilehub:Verify*",
            "mobiletargeting:Get*",
            "mobiletargeting:List*",
            "mq:Describe*",
            "mq:List*",
            "opsworks:Describe*",
            "opsworks:Get*",
            "opsworks-cm:List*",
            "opsworks-cm:Describe*",
            "organizations:Describe*",
            "organizations:List*",
            "outposts:Get*",
            "outposts:List*",
            "personalize:Describe*",
            "personalize:Get*",
            "personalize:List*",
            "pi:DescribeDimensionKeys",
            "pi:GetResourceMetrics",
            "polly:Describe*",
            "polly:Get*",
            "polly:List*",
            "polly:SynthesizeSpeech",
            "qldb:ListLedgers",
            "qldb:DescribeLedger",
            "qldb:ListJournalS3Exports",
            "qldb:ListJournalS3ExportsForLedger",
            "qldb:DescribeJournalS3Export",
            "qldb:GetBlock",
            "qldb:GetDigest",
            "qldb:GetRevision",
            "qldb:ListTagsForResource",
            "ram:Get*",
            "ram:List*",
            "rekognition:CompareFaces",
            "rekognition:Detect*",
            "rekognition:List*",
            "rekognition:Search*",
            "rds:Describe*",
            "rds:List*",
            "rds:Download*",
            "redshift:Describe*",
            "redshift:GetReservedNodeExchangeOfferings",
            "redshift:View*",
            "resource-groups:Get*",
            "resource-groups:List*",
            "resource-groups:Search*",
            "robomaker:BatchDescribe*",
            "robomaker:Describe*",
            "robomaker:Get*",
            "robomaker:List*",
            "route53:Get*",
            "route53:List*",
            "route53:Test*",
            "route53domains:Check*",
            "route53domains:Get*",
            "route53domains:List*",
            "route53domains:View*",
            "route53resolver:Get*",
            "route53resolver:List*",
            "s3:Get*",
            "s3:List*",
            "sagemaker:Describe*",
            "sagemaker:GetSearchSuggestions",
            "sagemaker:List*",
            "sagemaker:Search",
            "schemas:Describe*",
            "schemas:Get*",
            "schemas:List*",
            "schemas:Search*",
            "sdb:Get*",
            "sdb:List*",
            "sdb:Select*",
            "secretsmanager:List*",
            "secretsmanager:Describe*",
            "secretsmanager:GetResourcePolicy",
            "securityhub:Describe*",
            "securityhub:Get*",
            "securityhub:List*",
            "serverlessrepo:List*",
            "serverlessrepo:Get*",
            "serverlessrepo:SearchApplications",
            "servicecatalog:Describe*",
            "servicecatalog:GetApplication",
            "servicecatalog:GetAttributeGroup",
            "servicecatalog:List*",
            "servicecatalog:Scan*",
            "servicecatalog:Search*",
            "servicediscovery:Get*",
            "servicediscovery:List*",
            "servicequotas:GetAssociationForServiceQuotaTemplate",
            "servicequotas:GetAWSDefaultServiceQuota",
            "servicequotas:GetRequestedServiceQuotaChange",
            "servicequotas:GetServiceQuota",
            "servicequotas:GetServiceQuotaIncreaseRequestFromTemplate",
            "servicequotas:ListAWSDefaultServiceQuotas",
            "servicequotas:ListRequestedServiceQuotaChangeHistory",
            "servicequotas:ListRequestedServiceQuotaChangeHistoryByQuota",
            "servicequotas:ListServices",
            "servicequotas:ListServiceQuotas",
            "servicequotas:ListServiceQuotaIncreaseRequestsInTemplate",
            "ses:Get*",
            "ses:List*",
            "ses:Describe*",
            "shield:Describe*",
            "shield:Get*",
            "shield:List*",
            "signer:DescribeSigningJob",
            "signer:GetSigningPlatform",
            "signer:GetSigningProfile",
            "signer:ListSigningJobs",
            "signer:ListSigningPlatforms",
            "signer:ListSigningProfiles",
            "signer:ListTagsForResource",
            "snowball:Get*",
            "snowball:Describe*",
            "snowball:List*",
            "sns:Get*",
            "sns:List*",
            "sns:Check*",
            "sqs:Get*",
            "sqs:List*",
            "sqs:Receive*",
            "ssm:Describe*",
            "ssm:Get*",
            "ssm:List*",
            "sso:Get*",
            "sso:Describe*",
            "sso:List*",
            "sso:Search*",
            "sso-directory:Describe*",
            "sso-directory:List*",
            "sso-directory:Search*",
            "states:List*",
            "states:Describe*",
            "states:GetExecutionHistory",
            "storagegateway:Describe*",
            "storagegateway:List*",
            "sts:GetAccessKeyInfo",
            "sts:GetCallerIdentity",
            "sts:GetSessionToken",
            "swf:Count*",
            "swf:Describe*",
            "swf:Get*",
            "swf:List*",
            "synthetics:Describe*",
            "synthetics:Get*",
            "synthetics:List*",
            "tag:Get*",
            "transfer:Describe*",
            "transfer:List*",
            "transfer:TestIdentityProvider",
            "transcribe:Get*",
            "transcribe:List*",
            "trustedadvisor:Describe*",
            "waf:Get*",
            "waf:List*",
            "wafv2:CheckCapacity",
            "wafv2:Describe*",
            "wafv2:Get*",
            "wafv2:List*",
            "waf-regional:List*",
            "waf-regional:Get*",
            "workdocs:Describe*",
            "workdocs:Get*",
            "workdocs:CheckAlias",
            "worklink:Describe*",
            "worklink:List*",
            "workmail:Describe*",
            "workmail:Get*",
            "workmail:List*",
            "workmail:Search*",
            "workspaces:Describe*",
            "xray:BatchGet*",
            "xray:Get*"
        ],
        "Effect": "Allow",
        "Resource": "*",
        "Condition": {
            "StringEquals": {
                "aws:RequestedRegion": "us-east-1"
            }
        }
    }
]

}

如果您知道将这 3 个要点结合起来的最聪明的方法,我很乐意听听您的意见。谢谢!

答案1

为了满足第三种选择的要求:

仅对(即:us-east-1)区域具有以下标记的写访问权:abj:owner=xxxxx

你需要一个基于属性的访问控制 (ABAC)(这是一个非常好的关于该主题的教程)。

关于第一个和第二个要求。第一个你做对了。你可能要考虑使用反向登录,并了解如何使用DenyNotAction,主要原因是创建一个你想要拒绝访问的服务列表可能比列出所有可能允许的 AWS 服务列表更容易。另一个值得检查的选项是IAM 权限边界

相关内容