我正在管理一个AWS账户。现在,我的一位非特权用户要求我授予他创建IAM角色的权利。 我理解IAM Roles通常是最佳选择,但我担心他们将能够创建“跨帐户访问角色”并允许其他人访问我的AWS账户。
这可能只是为访问权限创建“AWS服务角色”,而不是“跨帐户访问角色”?
答案 0 :(得分:0)
您可以允许使用特定政策。在示例中,我仅允许使用EMR集群的角色:
{ "Effect": "Allow", "Action": [ "iam:AttachRolePolicy" ], "Resource": "*" }, { "Effect": "Deny", "Action": [ "iam:AttachRolePolicy" ], "NotResource": [ "arn:aws:iam::*:role/EMR_DefaultRole", "arn:aws:iam::*:role/EMR_EC2_DefaultRole" ] }, { "Effect": "Deny", "Action": [ "iam:AttachRolePolicy" ], "Resource": [ "*" ], "Condition": { "ArnNotEquals": { "iam:PolicyArn": [ "arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceRole", "arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceforEC2Role" ] } } } ] }