0

我在秘密管理器中有一个秘密,并且系统中有多个 IAM 角色。我只想要一个角色来访问这个秘密。不幸的是,还有一些其他 IAM 角色拥有完整的 Secrets Manager 权限。所以我想限制对所有其他角色的秘密访问,除了我想要的角色。

角色

  1. IAM_role_that_need_to_access_the_secret。
  2. IAM_role_1_that_should_not_access_the_secret。
  3. IAM_role_2_that_should_not_access_the_secret。

以下正在工作。

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "secretsmanager:GetSecretValue",
      "Principal": {
        "AWS": "arn:aws:iam::IAM_role_1_that_should_not_access_the_secret",
        "AWS": "arn:aws:iam::IAM_role_2_that_should_not_access_the_secret"
      },
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::IAM_role_that_need_to_access_the_secret"
      },
      "Action": "secretsmanager:GetSecretValue",
      "Resource": "*",
      "Condition": {
        "ForAnyValue:StringEquals": {
          "secretsmanager:VersionStage": "AWSCURRENT"
        }
      }
    }
  ]
}

但我想拒绝访问所有角色,而无需在拒绝权限部分明确提及每个角色。像下面的东西。但它将仅限于所有角色,包括所需的角色。

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "secretsmanager:GetSecretValue",
      "Principal": {"AWS": "*"},
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::IAM_role_that_need_to_access_the_secret"
      },
      "Action": "secretsmanager:GetSecretValue",
      "Resource": "*",
      "Condition": {
        "ForAnyValue:StringEquals": {
          "secretsmanager:VersionStage": "AWSCURRENT"
        }
      }
    }
  ]
}
4

2 回答 2

0

更新:

我询问了 AWS Support,他们说:

这是一个已知问题,NotPrinicipal资源策略因显式拒绝而失败。

解决方法是使用"StringNotEquals":"aws:PrincipalArn"条件键。

上一个答案:

您可以使用NotPrincipal

    {
      "Effect": "Deny",
      "NotPrincipal": {
        "AWS": "arn:aws:iam::IAM_role_that_need_to_access_the_secret"
      },
      "Action": "secretsmanager:GetSecretValue",
      "Resource": "*",
      ...
于 2020-09-16T11:57:03.593 回答
0

您可以创建一个KMS 密钥,然后为该 KMS 密钥创建一个策略,该策略仅授予您需要的角色访问权限。如下所示:

{
    "Version": "2012-10-17",
    "Id": "key-default-admin",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<AWS_ACCOUNT_ID>:root"
            },
            "Action": "kms:*",
            "Resource": "*"
        },
        {
            "Sid": "Allow administration of the key",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::<AWS_ACCOUNT_ID>:role/<ROLE_NAME>",
                    "arn:aws:iam::<AWS_ACCOUNT_ID>:role/<ROLE_NAME>"
                ]
            },
            "Action": [
                "kms:Create*",
                "kms:Describe*",
                "kms:Enable*",
                "kms:List*",
                "kms:Put*",
                "kms:Update*",
                "kms:Revoke*",
                "kms:Disable*",
                "kms:Get*",
                "kms:Delete*",
                "kms:ScheduleKeyDeletion",
                "kms:CancelKeyDeletion"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Allow use of the key",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::<AWS_ACCOUNT_ID>:role/AdminRole",
                    "arn:aws:iam::<AWS_ACCOUNT_ID>:role/<ROLE_NAME>"
                ]
            },
            "Action": [
                "kms:DescribeKey",
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey",
                "kms:GenerateDataKeyWithoutPlaintext"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Deny use of the key",
            "Effect": "Deny",
            "Principal": {
                "AWS": "arn:aws:iam::<AWS_ACCOUNT_ID>:root"
            },
            "Action": "kms:*",
            "Resource": "*",
            "Condition": {
                "StringNotLike": {
                    "aws:PrincipalArn": [
                        "arn:aws:iam::<AWS_ACCOUNT_ID>:role/<ROLE_NAME>",
                        "arn:aws:iam::<AWS_ACCOUNT_ID>:role/<ROLE_NAME>"
                    ]
                }
            }
        }
    ]
}

于 2021-01-17T21:21:55.070 回答