我正在使用AWS设置应用程序,因此决定将us-east-1用作沙箱环境,并将us-east-2用作生产环境。我想创建限制,使区域中的服务只能访问同一区域中的资源。
我的第一个实现是:
NotProductionServicesIAMRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- sts:AssumeRole
Principal:
Service:
- lambda.amazonaws.com
Condition:
StringEquals:
'aws:RequestedRegion': 'us-east-1'
Path: '/'
Policies:
- PolicyName: AllowNotProductionServicesAccessNotProductionResources
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action: '*'
Resource: '*'
Condition:
StringEquals:
'aws:RequestedRegion': 'us-east-1'
ProductionServicesIAMRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- sts:AssumeRole
Principal:
Service:
- lambda.amazonaws.com
Condition:
StringEquals:
'aws:RequestedRegion': 'us-east-2'
Path: '/flow/'
Policies:
- PolicyName: AllowProductionServicesAccessProductionResources
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action: '*'
Resource: '*'
Condition:
StringEquals:
'aws:RequestedRegion': 'us-east-2'
我通过这种方式来担任这些角色:
Role:
!If [
IsProduction,
ProductionServicesIAMRole,
NotProductionServicesIAMRole,
]
我的问题:是否可以创建一个角色来与我创建的两个角色做相同的事情?
谢谢!