AWS CloudFormation模板:使用条件范围

时间:2018-03-28 17:54:41

标签: amazon-web-services conditional-statements amazon-cloudformation

我正在尝试使用条件来限定CloudFormation模板中的资源,但我没有运气。我试图使用"拒绝:NotPrincipal"如下所示,但由于错误而不允许该操作"策略文档不应指定主体"。有关如何将ec2:CopyImage范围仅限于特定角色的任何建议将不胜感激。谢谢

        {
          "Sid": "DenyCopyAMI",
          "Effect": "Deny",
          "NotPrincipal": {
            "AWS": [
              "arn:aws:sts::*:assumed-role/EngineeringRole/*",
              "arn:aws:sts::*:assumed-role/PlatformRole/*",
              "arn:aws:iam::*:role/EngineeringRole/*",
              "arn:aws:iam::*:role/PlatformRole/*"
            ]
          },

1 个答案:

答案 0 :(得分:0)

以下是来自AWS restricting access to a role的文章。

使用iam get-role查找RoleId并将其添加到aws:userId下的政策条件

aws iam get-role --role-name Test-Role

IAM政策:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": "ec2:CopyImage",
            "Resource": "*",
            "Condition": {
                "StringNotLike": {
                    "aws:userId": [
                        "AROAJPXXXXXJE5XOMQARS:*",
                        "AROAJPXXXXXJE5XOMQARS:*",
                        "AROAJXXXXXXV3EZVH2W5A:*",
                        "AROAJXXXXXXBH4XK552KI:*"
                    ]
                }
            }
        }
    ]
}
相关问题
最新问题