为什么(许多)IAM永久身份比根身份更安全? [英] Why are (many) IAM perpetual identities any safer than the root identity?
问题描述
AWS文档 " 推荐删除根用户访问密钥",并删除" [a] 具有您的AWS账户根用户的访问密钥可以不受限制地访问您账户中的所有资源."
The AWS documentation "recommend[s] that you delete your root user access keys", and to "not use the AWS account root user for your everyday tasks", because "[a]nyone who has the access key for your AWS account root user has unrestricted access to all the resources in your account."
但是随后,一个权威性答案建议"使用适当的权限创建IAM用户凭据并将其放入~/.aws/credentials文件."
But then an authoritative answer suggests to "create IAM User credentials with the appropriate permissions and put them in the ~/.aws/credentials file."
IIUC,这意味着我的~/.aws/credentials将具有我的AWS IAM"命名的配置文件",其外观类似于
IIUC this means that my ~/.aws/credentials will have my AWS IAM "named profiles", which will look like this:
[default]
aws_access_key_id=AKIAIOSFODNN7EXAMPLE
aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
[ses_user]
aws_access_key_id=AKIAI44QH8DHBEXAMPLE
aws_secret_access_key=je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY
[s3_user]
aws_access_key_id=AKIAI44QH8DHBEXAMPLE
aws_secret_access_key=2Zp9UtkClwBF/je7MtGb/o8nvbh3yCEXAMPLEKEY
要将这些IAM身份保留在EC2实例的我的~/.aws/credentials文件(在Docker容器中)中,意味着仅捕获它们的人将无法使用整个AWS账户运行amock,而只能使用部分AWS开发工具包一次运行amock.
To leave these IAM identities in my ~/.aws/credentials file (in a Docker container) in an EC2 instance means merely that someone who captures them would not be able to run amock with the entire AWS account, but would only be able to run amock one piece at a time with parts of the AWS SDK.
这是一个小小的安慰,特别是对于访问许多AWS服务的足够大的应用程序而言.
This is small consolation, especially for a sufficiently large application that accesses many AWS services.
那么为什么建议使用永久IAM身份(~/.aws/credentials中的身份)代替根访问密钥?唯一的临时凭证不是真的可以提供显着的额外安全性吗?
Why then are the perpetual IAM identities (the ones in ~/.aws/credentials) suggested as an alternative to root access keys? Is it not indeed the case the only temporary credentials offer significant additional safety?
推荐答案
您不能使用策略明确拒绝对root帐户的访问,因此建议使用非root用户,因为您可以适当地限制其访问权限.
You cannot use policies to explicitly deny access to the root account so non-root users are the suggested alternative because you can limit their access appropriately .
Jarmod在关于使用实例概要文件而不是用户来作为系统执行任务的评论中也指出了一个很好的观点.
Jarmod also made a good point in the comments about using instance profiles instead of users for perform tasks as the system.
这篇关于为什么(许多)IAM永久身份比根身份更安全?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
