适用于AWS IAM的策略和附加实体 [英] AWS IAM applicable policies and attached entities
问题描述
问了这个问题后,我做了一些挖掘,找到了以下几项政策:
{
"Effect":"Allow",
"Action":"*",
"Resource":"*"
}
在其中.
通读政策评估逻辑页再次,第二步对我很突出:
- 评估所有适用的政策.
我的问题的第一部分是: AWS如何确定适用的政策? 据我了解,这是通过查看原理和/或资源键完成的.
但是:在IAM中,这些政策已附加了一些实体,据我所知,这些实体与《原则》相同.进入问题的第二部分:
附属实体对政策有何作用?
据我所知,这是告诉AWS该策略适用于角色,但我不了解该策略如何与策略中的"Resource":"*"一起使用.
如此:
- AWS如何确定适用的政策?
- 附属实体对政策有何作用?
- 使
"Resource":"*"策略始终适用吗?
1>在发出请求时(使用访问键或控制台),您正在传递用户名/角色名称.假设您正在使用IAM用户访问API.因此,AWS将检查用户附带的策略,IAM组附带的策略(如果有).此外,它还会检查是否存在任何基于资源的策略,例如S3存储桶策略,SNS主题策略,由请求中的资源确定.
2>如果您未将策略附加到IAM实体或任何资源(针对基于资源的策略),则策略将不执行任何操作.附属的实体(我认为您是指IAM实体)用于确定主体,并依次指示在何处检查权限(是否为IAM用户,然后检查IAM组成员身份等).
3>资源:*表示该策略授予任何AWS资源的权限.因此,您提到的政策将转换为: 在每个资源(资源":"")上允许(效果":允许")每个动作(动作":"").
希望这会有所帮助.
After asking this question I did some digging and found a couple of policies with:
{
"Effect":"Allow",
"Action":"*",
"Resource":"*"
}
in them.
Reading through the policies evaluation logic page again the second step stands out to me:
- Evaluate all applicable policies.
The first part of my question is: How does AWS determine what policies are applicable? To my understanding this is done by looking at the Principle and/or Resource keys.
BUT: in IAM these policies have attached entities which are to my understanding the same as Principles. Which gets to the second part of the question:
What does an attached entity do to a policy?
As far as i understand all this does is tell AWS that the policy is applicable to a role, but I do not understand how this works with a "Resource":"*" in the policy.
so:
- How does AWS determine what policies are applicable?
- What does an attached entity do to a policy?
- Makes the
"Resource":"*"the policy always applicable?
1> While making a request (either using access keys or Console), you are passing the username/role name. So let's say you are accessing the API using an IAM user. So, AWS will check the policy attached to the user, policy attached to the IAM Group (if any). Also, it also checks if there are any resource based policy e.g. S3 bucket policy, SNS topic policy which is determined by the resource in the request.
2> A policy does nothing if you don't attach it to an IAM entity or any resources (for resource based policy). The attached entity (I think you are referring to the IAM entities) are used to decide the principal and in turns it tells where to check for the permission (whether it is an IAM user, then check IAM group membership etc.).
3> Resource:* means that this policy gives permission to any AWS resources. So the policy you have mentioned will translate: Allow ("Effect":"Allow") every action ("Action":"") on every resources ("Resource":"").
Hope this helps..
这篇关于适用于AWS IAM的策略和附加实体的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
