我拥有适用于AWS Developer Power User的托管策略,该策略使用户可以访问除IAM和组织(管理员角色以下一级)之外的所有AWS资源和操作。
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Federated:
- !Sub "arn:aws:iam::${AWS::AccountId}:saml-provider/ABC"
Action: 'sts:AssumeRoleWithSAML'
Condition:
StringEquals:
SAML:aud: "https://signin.aws.amazon.com/saml"
Path: /
Policies:
- PolicyName: ABC
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
NotAction:
- iam:*
- organizations:*
- account:*
Resource: '*'
- Effect: Allow
Action:
- iam:CreateServiceLinkedRole
- iam:DeleteServiceLinkedRole
- iam:ListRoles
- organizations:DescribeOrganization
- account:ListRegions
Resource: '*'
我想在特定日期(例如部署计划中的ex)之间限制对用户的访问,并在下面为Date运算符添加代码。
Condition:
DateGreaterThan:
aws:CurrentTime: '2020-04-01T00:00:00Z'
DateLessThan:
aws:CurrentTime: '2020-06-30T23:59:59Z'
但是,将以上条件子句添加到PowerUserManaged策略中会引发错误400,该错误在AWS Console中部署该策略期间格式错误。
是否可以在PowerUserAccess托管策略中添加日期条件子句? https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_developer-power-user
答案 0 :(得分:0)
如果您要使用IAM托管策略,只需向用户添加其他策略即可拒绝用户outside the date range。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"DateGreaterThan": {"aws:CurrentTime": "2020-04-01T00:00:00Z"},
"DateLessThan": {"aws:CurrentTime": "2020-04-01T00:00:00Z"}
}
}
]
}
显式拒绝将始终覆盖任何allow语句,有关策略评估的更多信息,请查看AWS的Policy Evaluation页面。