我正在尝试创建一个 AWS IAM 策略,该策略允许访问高级用户拥有的所有内容 (arn:aws:iam::aws:policy/PowerUserAccess),但仅限于特定区域。
我从现有的高级用户政策开始,发现了这篇文章:https ://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_ec2_region.html
所以我在高级用户策略中添加了“条件”,结果是:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": "*",
"NotAction": [
"iam:*",
"organizations:*",
"account:*"
],
"Condition": {
"StringEquals": {
"ec2:Region": "us-east-2"
}
}
},
{
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole",
"iam:DeleteServiceLinkedRole",
"iam:ListRoles",
"organizations:DescribeOrganization",
"account:ListRegions"
],
"Resource": "*"
}
]
}