通过指定日期条件(DateGreaterThan,DateLessThan)限制AWS开发人员高级用户访问权限

时间:2020-07-20 15:02:51

标签: amazon-web-services amazon-iam amazon-policy

我拥有适用于AWS Developer Power User的托管策略,该策略使用户可以访问除IAM和组织(管理员角色以下一级)之外的所有AWS资源和操作。

AssumeRolePolicyDocument:
    Version: 2012-10-17
    Statement:
      - Effect: Allow
        Principal:
          Federated:
            - !Sub "arn:aws:iam::${AWS::AccountId}:saml-provider/ABC"
        Action: 'sts:AssumeRoleWithSAML'
        Condition:
          StringEquals:
            SAML:aud: "https://signin.aws.amazon.com/saml"
  Path: /
  Policies:
    - PolicyName: ABC
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            NotAction:
              - iam:*
              - organizations:*
              - account:*
            Resource: '*'  
          - Effect: Allow
            Action:
              - iam:CreateServiceLinkedRole
              - iam:DeleteServiceLinkedRole
              - iam:ListRoles
              - organizations:DescribeOrganization  
              - account:ListRegions
            Resource: '*'

我想在特定日期(例如部署计划中的ex)之间限制对用户的访问,并在下面为Date运算符添加代码。

Condition:
DateGreaterThan:
  aws:CurrentTime: '2020-04-01T00:00:00Z'
DateLessThan:
  aws:CurrentTime: '2020-06-30T23:59:59Z'

但是,将以上条件子句添加到PowerUserManaged策略中会引发错误400,该错误在AWS Console中部署该策略期间格式错误。

是否可以在PowerUserAccess托管策略中添加日期条件子句? https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_developer-power-user

1 个答案:

答案 0 :(得分:0)

如果您要使用IAM托管策略,只需向用户添加其他策略即可拒绝用户outside the date range

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": "*",
            "Resource": "*",
            "Condition": {
                "DateGreaterThan": {"aws:CurrentTime": "2020-04-01T00:00:00Z"},
                "DateLessThan": {"aws:CurrentTime": "2020-04-01T00:00:00Z"}
            }
        }
    ]
}

显式拒绝将始终覆盖任何allow语句,有关策略评估的更多信息,请查看AWS的Policy Evaluation页面。

相关问题
最新问题