0

所以我试图运行一个策略,但是在将条件设置为 true 和 false 时它从未被调用,很可能会丢失一些东西,但是当我将条件语句全部省略时,我得到了所需的策略执行。

选项 1:条件语句 false

    {
            "Condition": {
                "Bool": {
                    "aws:MultiFactorAuthPresent": "true"
                }
            },
            "Resource": "*",
            "Effect": "Deny",
            "NotAction": [
                "iam:CreateVirtualMFADevice",
                "iam:DeleteVirtualMFADevice",
                "iam:ListVirtualMFADevices",
                "iam:EnableMFADevice",
                "iam:ResyncMFADevice",
                "iam:ListAccountAliases",
                "iam:ListUsers",
                "iam:ListSSHPublicKeys",
                "iam:ListAccessKeys",
                "iam:ListServiceSpecificCredentials",
                "iam:ListMFADevices",
                "iam:GetAccountSummary",
                "sts:GetSessionToken"
            ]
        }

选项 1:条件语句 false

    {
            "Condition": {
                "Bool": {
                    "aws:MultiFactorAuthPresent": "false"
                }
            },
            "Resource": "*",
            "Effect": "Deny",
            "NotAction": [
                "iam:CreateVirtualMFADevice",
                "iam:DeleteVirtualMFADevice",
                "iam:ListVirtualMFADevices",
                "iam:EnableMFADevice",
                "iam:ResyncMFADevice",
                "iam:ListAccountAliases",
                "iam:ListUsers",
                "iam:ListSSHPublicKeys",
                "iam:ListAccessKeys",
                "iam:ListServiceSpecificCredentials",
                "iam:ListMFADevices",
                "iam:GetAccountSummary",
                "sts:GetSessionToken"
            ]
        }
4

1 回答 1

0

当使用长期凭证(例如用户访问密钥对)调用 API 或 CLI 命令时,不存在 aws:MultiFactorAuthPresent 密钥。因此,我们建议您在检查此键时使用 ...IfExists 版本的条件运算符。

于 2020-05-10T16:48:42.700 回答