我希望将AWS账户的使用限制在一个地区,但仍然允许使用全球服务,尤其是Cloudfront(需要在弗吉尼亚北部使用ACM的服务)。
以下简单语句不足以达到我的目的:
{
"Sid": "DisableRegions",
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:RequestedRegion": [
"eu-central-1"
]
}
}
}
是否有人确实在执行IAM策略的工作版本?还请考虑使用S3,存储桶也应仅在该区域可用!
答案 0 :(得分:0)
我的解决方案现在允许管理员访问法兰克福并启用所有全球服务。对于S3,我仅允许全局只读访问。北弗吉尼亚州也必须允许ACM才能在Cloudfront中启用SSL。反馈随时欢迎!
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AdministratorAccessForRegionFrankfurt",
"Effect": "Allow",
"Action": "*",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestedRegion": [
"eu-central-1"
]
}
}
},
{
"Sid": "AllowGlobalServices",
"Effect": "Allow",
"Action": [
"aws-portal:*",
"awsbillingconsole:*",
"iam:*",
"sts:*",
"health:*",
"support:*",
"budgets:*",
"cloudfront:*",
"organizations:*",
"trustedadvisor:*",
"shield:*",
"waf:*",
"waf-regional:*",
"route53:*",
"route53domains:*",
"tag:*",
"resource-groups:*",
"s3:Get*",
"s3:List*",
"s3:Head*",
"glacier:List*",
"glacier:Describe*",
"glacier:Get*"
],
"Resource": "*"
},
{
"Sid": "AllowACMInUSEastAsWell",
"Effect": "Allow",
"Action": "acm:*",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestedRegion": [
"us-east-1"
]
}
}
}
]
}