允许Cloudformation操作的AWS IAM策略

时间:2018-01-19 08:48:59

标签: amazon-web-services aws-iam

最初在https://forums.aws.amazon.com/thread.jspa?messageID=825006#825006

上询问

我正在尝试将某些操作限制为特定来源。例如,EC2和Cloudformation只能从某个源IP地址访问。我可以通过以下政策实现这一目标:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": ["ec2:*", "cloudformation:*"],
            "Resource": "*",
            "Condition": {
                "NotIpAddress": { "aws:SourceIp": ["1.2.3.4"] }
            }
        }
    ]
}

这很好用(假设ec2和cloudformation上有一个允许用户没有条件),因为我现在可以从源IP 1.2.3.4创建/查看EC2实例,但是从其他来源尝试错误。

但是,如果我尝试创建包含EC2实例的Cloudformation堆栈,则RunInstance操作会继承我的用户帐户,但不会继承我的源IP。我想更新条件以允许从Deny中排除Cloudformation源。我试过这个:

        "Condition": {
            "NotIpAddress": { "aws:SourceIp": ["1.2.3.4"] },
            "StringNotEquals": {"aws:SourceIp":"cloudformation.amazonaws.com" }
        }
    }

我还在这些操作上尝试了2个Allow语句,每个语句只有1个条件 - IpAddress包含sourceIp,第2个允许语句包含"StringEquals" : {"aws:SourceIp":"cloudformation.amazonaws.com"}这些操作。当CloudFormation尝试执行RunInstances操作时,我仍然会收到错误。

此处显示失败的CloudTrail事件:

{
    "eventVersion": "1.05",
    "userIdentity": {
        "type": "AssumedRole",
        "principalId": "REDACTED",
        "arn": "REDACTED",
        "accountId": "REDACTED",
        "sessionContext": {
            "attributes": {
                "creationDate": "2018-01-19T07:47:40Z"
            },
            "sessionIssuer": {
                "type": "Role",
                "principalId": "REDACTED",
                "arn": "arn:aws:iam::REDACTED",
                "accountId": "REDACTED",
                "userName": "REDACTED"
            }
        },
        "invokedBy": "cloudformation.amazonaws.com"
    },
    "eventTime": "2018-01-19T08:10:39Z",
    "eventSource": "ec2.amazonaws.com",
    "eventName": "RunInstances",
    "awsRegion": "REDACTED",
    "sourceIPAddress": "cloudformation.amazonaws.com",
    "userAgent": "cloudformation.amazonaws.com",
    "errorCode": "Client.UnauthorizedOperation",
    "errorMessage": "You are not authorized to perform this operation. Encoded authorization failure message: REDACTED",
    "requestParameters": { <details of instance here> },
    "responseElements": null,
    "requestID": "REDACTED",
    "eventID": "REDACTED",
    "eventType": "AwsApiCall",
    "recipientAccountId": "REDACTED"
}

我在aws:SourceIpaws:SourceIpAddressaws:UserAgent上尝试了字符串匹配 - 如何让ec2操作进行云端映射?

感谢。

0 个答案:

没有答案