3

我正在尝试创建一个 AWS IAM 策略,该策略允许访问高级用户拥有的所有内容 (arn:aws:iam::aws:policy/PowerUserAccess),但仅限于特定区域。

我从现有的高级用户政策开始,发现了这篇文章:https ://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_ec2_region.html

所以我在高级用户策略中添加了“条件”,结果是:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Resource": "*",
            "NotAction": [
                "iam:*",
                "organizations:*",
                "account:*"
            ],
            "Condition": {
                "StringEquals": {
                    "ec2:Region": "us-east-2"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:CreateServiceLinkedRole",
                "iam:DeleteServiceLinkedRole",
                "iam:ListRoles",
                "organizations:DescribeOrganization",
                "account:ListRegions"
            ],
            "Resource": "*"
        }
    ]
}

这似乎不起作用,因为我只能在指定区域创建 EC2 实例......但其他服务不可用: 代码管道 拉姆达

4

1 回答 1

3

当您ec2:Region在 Condition 键中使用时,这是EC2 特定的

你会想试试aws:RequestedRegionfor 条件键。

不过要小心,

一些全球服务,例如 IAM,只有一个端点。由于此终端节点物理上位于美国东部(弗吉尼亚北部)区域,因此始终会向 us-east-1 区域发出 IAM 调用

试一试

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Resource": "*",
            "NotAction": [
                "iam:*",
                "organizations:*",
                "account:*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:RequestedRegion": "us-east-2"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:CreateServiceLinkedRole",
                "iam:DeleteServiceLinkedRole",
                "iam:ListRoles",
                "organizations:DescribeOrganization",
                "account:ListRegions"
            ],
            "Resource": "*"
        }
    ]
}
于 2020-05-13T18:15:06.610 回答