如何创建一个IAM策略来限制权限计费/支付管理? [英] How can I create an IAM policy to restrict permissions to billing/payment management?
问题描述
我想创建一个组,谁只需要管理支付服务的能力用户 - 例如输入信用卡信息的账号,等我不希望此用户能够访问任何控制台的其他工具。如何做到这一点?
I want to create a group with a user who only has the ability to manage payment for services - e.g. input credit card information for the account, etc. I don't want this user to have access to any of the other tools in the console. How do I do this?
推荐答案
不幸的是,这是不可能的 AWS身份和访问管理(IAM)你可能会想到它的方式 - IAM允许的控制用户访问到您的AWS账户账单信息,但这只包括授予IAM用户访问,可查看相应页面(所需的权限 AWS门户网站:ViewBilling 和 AWS门户网站:ViewUsage 携带这种在他们的名字):
Unfortunately this is not possible with AWS Identity and Access Management (IAM) the way you might have envisioned it - IAM enables Controlling User Access to Your AWS Account Billing Information, but this only includes granting IAM users access to view the respective pages (the required permissions aws-portal:ViewBilling and aws-portal:ViewUsage carry this in their names):
在AWS网站集成了AWS身份和访问管理 (IAM),这样你可以授予用户访问计费信息。您可以 控制访问帐户活动页面和用法 报告页。账户活动页面显示发票和 有关费用和帐户活动,通过逐项详细资料 服务及使用类型。该使用情况报告页提供了详细 您订阅的每个服务使用情况报告。
The AWS website integrates with AWS Identity and Access Management (IAM) so you can grant users access to billing information. You can control access to the Account Activity page and the Usage Reports page. The Account Activity page displays invoices and detailed information about charges and account activity, itemized by service and by usage type. The Usage Reports page provides detailed usage reports for each service you are subscribed to.
当然,你的用例是健全的,经常遇到 - AWS提供了不同的解决方案,恰当地命名的合并开,其中的,您可以通过指定一个付费帐户整合公司内支付多的Amazon Web Services(AWS)账户的:
Workaround
Of course your use case is sound and frequently encountered - AWS provides a different solution aptly named Consolidated Billing, which enables you to consolidate payment for multiple Amazon Web Services (AWS) accounts within your company by designating a single paying account:
合并开单让你看到的AWS费用的组合视图 发生的所有帐户,以及获得详细的成本报告 每个单独的AWS账户与您支付相关 帐户。
Consolidated Billing enables you to see a combined view of AWS charges incurred by all accounts, as well as obtain a detailed cost report for each of the individual AWS accounts associated with your paying account.
那么的的付费帐户被记帐的关联账户的所有费用,因此需要给予负责的支付管理访问这个综合计费只占,这是用户(S)没问题有关资源的其他帐户所需的保护:
So The paying account is billed for all charges of the linked accounts, thus you need to grant the user(s) in charge of the payment management access to this consolidated billing account only, which is no problem concerning the desired protection of the resources in your other accounts:
不过,每个链接的帐户是完全独立在所有其他 方式(报名参加服务,访问资源,使用AWS premium 支持等)。 的付费帐户所有者不能访问数据属于 以链接帐户所有者(例如,他们在Amazon S3中的文件)。每 帐户所有者使用自己的AWS凭据来访问其资源 (例如,他们自己的AWS访问密钥)。 [重点煤矿] 的
However, each linked account is completely independent in every other way (signing up for services, accessing resources, using AWS Premium Support, etc.). The paying account owner cannot access data belonging to the linked account owners (e.g., their files in Amazon S3). Each account owner uses their own AWS credentials to access their resources (e.g., their own AWS Secret Access Key). [emphasis mine]
在合并结算的保证的关注和资源/数据相互计费/支付相应的保护分离,你仍然需要共享的主要AWS帐户凭据(如电子邮件/密码)在费用支付管理,这是一个不幸的例外,否则强烈建议提醒,方便IAM用户只向前的用户(S)合并结算帐户。
Caveat
While Consolidated Billing ensures separation of concerns and respective protection of resources/data and billing/payment from each other, you still need to share the main AWS account credentials (i.e. email/password) of the consolidated billing account with the user(s) in charge of payment management, which is an unfortunate exception to the otherwise highly recommended advise to facilitate IAM users only going forward.
- 因此,AWS建议至少使用AWS多因素验证和强大的密码保护您的付费帐户。欲了解更多信息,请参阅<一href="http://docs.aws.amazon.com/awsaccountbilling/latest/about/consolidatedbilling.html#useconsolidatedbilling-security"相对=nofollow>安全的支付帐户。的
这篇关于如何创建一个IAM策略来限制权限计费/支付管理?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
