如何创建 IAM 策略来限制对账单/付款管理的权限? [英] How can I create an IAM policy to restrict permissions to billing/payment management?
问题描述
我想创建一个群组,其中的用户只能管理服务付款 - 例如输入帐户的信用卡信息等.我不希望此用户访问控制台中的任何其他工具.我该怎么做?
I want to create a group with a user who only has the ability to manage payment for services - e.g. input credit card information for the account, etc. I don't want this user to have access to any of the other tools in the console. How do I do this?
推荐答案
很遗憾,AWS Identity and访问管理 (IAM) 就像您想象的那样 - IAM 支持 控制用户对您的 AWS 账户账单信息的访问,但这仅包括授予 IAM 用户查看相应页面的权限(所需权限 aws-portal:ViewBilling 和 aws-portal:ViewUsage 在他们的名字中带有这个):
Unfortunately this is not possible with AWS Identity and Access Management (IAM) the way you might have envisioned it - IAM enables Controlling User Access to Your AWS Account Billing Information, but this only includes granting IAM users access to view the respective pages (the required permissions aws-portal:ViewBilling and aws-portal:ViewUsage carry this in their names):
AWS 网站与 AWS Identity and Access Management 集成(IAM) 以便您可以授予用户访问账单信息的权限.你可以控制对账户活动 页面和 用法报告页面.帐户活动页面显示发票和关于费用和账户活动的详细信息,由服务和使用类型.使用情况报告页面提供了详细的您订阅的每项服务的使用情况报告.
The AWS website integrates with AWS Identity and Access Management (IAM) so you can grant users access to billing information. You can control access to the Account Activity page and the Usage Reports page. The Account Activity page displays invoices and detailed information about charges and account activity, itemized by service and by usage type. The Usage Reports page provides detailed usage reports for each service you are subscribed to.
解决方法
当然,您的用例是合理且经常遇到的 - AWS 提供了一个不同的解决方案,名称恰如其分地命名为 合并账单,允许您通过指定一个付款帐户来合并公司内多个 Amazon Web Services (AWS) 帐户的付款:
整合账单使您能够查看 AWS 费用的综合视图所有账户产生的费用,以及获取详细的成本报告与您的付款相关联的每个单独的 AWS 账户帐户.
Consolidated Billing enables you to see a combined view of AWS charges incurred by all accounts, as well as obtain a detailed cost report for each of the individual AWS accounts associated with your paying account.
因此支付账户需要支付关联账户的所有费用,因此您只需要授予负责支付管理的用户访问此合并账单账户,即对您其他帐户中的资源进行所需的保护没有问题:
So The paying account is billed for all charges of the linked accounts, thus you need to grant the user(s) in charge of the payment management access to this consolidated billing account only, which is no problem concerning the desired protection of the resources in your other accounts:
但是,每个关联的帐户在彼此之间完全独立方式(注册服务、访问资源、使用 AWS Premium支持等).付费帐户所有者无法访问属于链接的帐户所有者(例如,他们在 Amazon S3 中的文件).每个账户所有者使用他们自己的 AWS 凭证来访问他们的资源(例如,他们自己的 AWS 秘密访问密钥).[强调我的]
However, each linked account is completely independent in every other way (signing up for services, accessing resources, using AWS Premium Support, etc.). The paying account owner cannot access data belonging to the linked account owners (e.g., their files in Amazon S3). Each account owner uses their own AWS credentials to access their resources (e.g., their own AWS Secret Access Key). [emphasis mine]
警告
虽然Consolidated Billing 确保了关注点的分离以及对资源/数据和账单/付款的各自保护,但您仍然需要共享主 AWS 账户凭证(即电子邮件/密码)与负责支付管理的用户的合并结算帐户,这是一个不幸的例外,否则强烈建议为 IAM 用户提供便利.
Caveat
While Consolidated Billing ensures separation of concerns and respective protection of resources/data and billing/payment from each other, you still need to share the main AWS account credentials (i.e. email/password) of the consolidated billing account with the user(s) in charge of payment management, which is an unfortunate exception to the otherwise highly recommended advise to facilitate IAM users only going forward.
- 因此,AWS 建议至少使用 AWS 多重身份验证和强密码保护您的付款账户.有关详细信息,请参阅付款帐户的安全性.
这篇关于如何创建 IAM 策略来限制对账单/付款管理的权限?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
