AWS IAM-特定区域中的服务仅访问相同区域中的资源

时间:2019-03-13 13:17:27

标签: amazon-web-services amazon-iam

我正在使用AWS设置应用程序,因此决定将us-east-1用作沙箱环境,并将us-east-2用作生产环境。我想创建限制,使区域中的服务只能访问同一区域中的资源。

我的第一个实现是:

NotProductionServicesIAMRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Action:
              - sts:AssumeRole
            Principal:
              Service:
                - lambda.amazonaws.com
            Condition:
              StringEquals:
                'aws:RequestedRegion': 'us-east-1'
      Path: '/'
      Policies:
        - PolicyName: AllowNotProductionServicesAccessNotProductionResources
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action: '*'
                Resource: '*'
                Condition:
                  StringEquals:
                    'aws:RequestedRegion': 'us-east-1'

  ProductionServicesIAMRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Action:
              - sts:AssumeRole
            Principal:
              Service:
                - lambda.amazonaws.com
            Condition:
              StringEquals:
                'aws:RequestedRegion': 'us-east-2'
      Path: '/flow/'
      Policies:
        - PolicyName: AllowProductionServicesAccessProductionResources
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action: '*'
                Resource: '*'
                Condition:
                  StringEquals:
                    'aws:RequestedRegion': 'us-east-2'

我通过这种方式来担任这些角色:

      Role:
        !If [
          IsProduction,
          ProductionServicesIAMRole,
          NotProductionServicesIAMRole,
        ]

我的问题:是否可以创建一个角色来与我创建的两个角色做相同的事情?

谢谢!

0 个答案:

没有答案