IAM政策-如何引用资源? [英] IAM policy - How to reference resources?
问题描述
以下是创建的策略模板,用于限制任何Principal仅执行以下操作:
Resources:
MyPolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
Description: RulesToCreateUpdatePolicy
ManagedPolicyName: some-policy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "iam:CreatePolicy"
- "iam:DeletePolicy"
- "iam:CreatePolicyVersion"
Resource:
- !Sub "arn:aws:iam::${AWS::AccountId}:policy/xyz-lambda-*"
以名称为xyz-lambda-开头的策略资源上.
此策略已分配给具有角色的EC2主机.
在上载此策略到AWS之前,该策略名称(如xyz-lambda-*)是否应该已经存在于AWS中?
不,当您在策略文档中指定资源时,该资源根本不需要存在.
如果您考虑此操作
iam:CreatePolicy
与您的资源一起做的是,它授予了创建具有特定名称xyz-lambda-*的策略所必需的权限.如果该策略首先授予创建它的权限,那么要求存在这种资源就没有多大意义.
考虑删除操作
iam:DeletePolicy
如果资源不存在,则它不执行任何操作.一旦创建了具有适当名称的策略,就可以将其删除,但是该策略在创建此ManagedPolicy之前或之后是否存在,或者您删除或重新创建具有该名称的策略多少次都没有关系.
最后,由于您已声明此策略已附加到EC2角色,因此它应该可以正常工作.但是我仍然建议对任何可由EC2实例上运行的应用程序执行的资源(策略)发现授予iam:ListPolicies权限.如果您的策略中不允许执行此操作,则您的应用程序将无法列出策略,并且您将不得不基于猜测或严格的命名方案来设计一些容易出错的解决方法.
Below is the policy template created to restrict any Principal to do only below actions:
Resources:
MyPolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
Description: RulesToCreateUpdatePolicy
ManagedPolicyName: some-policy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "iam:CreatePolicy"
- "iam:DeletePolicy"
- "iam:CreatePolicyVersion"
Resource:
- !Sub "arn:aws:iam::${AWS::AccountId}:policy/xyz-lambda-*"
on a policy resource that starts with name xyz-lambda-.
This policy is assigned to EC2 host, with a role.
Does this policy name(like xyz-lambda-*) supposed to be already exist in AWS, before uploading this policy in AWS?
No, when you are specifying resource in your policy document, that resource doesn't need to exists at all.
If you take into consideration this action
iam:CreatePolicy
together with your resource, what it does is that it grants necessary permissions to create policy with that particular name xyz-lambda-*. It wouldn't make much of sense to require existence of such resource if the policy is granting permissions to create it in the first place.
When you consider the delete action
iam:DeletePolicy
if the resource doesn't exist then it does nothing. Once you create policy with the appropriate name, you will be able to delete it but it doesn't matter whether the policy existed before this ManagedPolicy was created or after or you have deleted and recreated policy with such name any number of times.
Lastly, since you have stated that this policy is attached to EC2 role then it should work without errors. But I would still recommend to grant iam:ListPolicies permission for any resource (policy) discovery that could be performed by an application running on EC2 instance. If you don't allow this action in your policy, your application will not be able to list policies and you would have to design some error prone workaround based on guessing or a strict naming scheme.
这篇关于IAM政策-如何引用资源?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
