certbot-dns-route53 插件按预期工作,但我想知道是否有办法将 IAM 策略允许的更改限制为仅与 _acme
相关,例如“恶意”更新certbot 不能弄乱其余的 dns 条目。
示例 policy 如下所示:
{
"Version": "2012-10-17",
"Id": "certbot-dns-route53 sample policy",
"Statement": [
{
"Effect": "Allow",
"Action": [
"route53:ListHostedZones",
"route53:GetChange"
],
"Resource": [
"*"
]
},
{
"Effect" : "Allow",
"Action" : [
"route53:ChangeResourceRecordSets"
],
"Resource" : [
"arn:aws:route53:::hostedzone/YOURHOSTEDZONEID"
]
}
]
}