Fatal编程技术网
  • amazon-web-services/
  • Amazon web services 是否有办法限制IAM角色可以在IAM策略上添加哪些操作?

Amazon web services 是否有办法限制IAM角色可以在IAM策略上添加哪些操作?

amazon-web-services amazon-cloudformation

Amazon web services 是否有办法限制IAM角色可以在IAM策略上添加哪些操作?,amazon-web-services,amazon-cloudformation,amazon-iam,aws-codepipeline,Amazon Web Services,Amazon Cloudformation,Amazon Iam,Aws Codepipeline,我们希望开发人员能够创建可以部署其服务的代码管道。这意味着他们需要能够为代码管道步骤创建IAM角色 这意味着我们需要为开发人员提供IAM功能。是否有一种方法可以限制这一点,即他们可以创建的IAM角色仅限于创建某些服务?比如ECS、EC2、RDS相关动作。或者可能特别将某些服务(如IAM相关操作)列入黑名单。是。为此,我们为开发人员提供了一个角色(可通过CodeBuild实现),该角色能够根据权限边界创建其他角色。我们鼓励他们将代码管道分解为多个阶段,每个阶段都有各自的角色。他们使用这个代码构建角

我们希望开发人员能够创建可以部署其服务的代码管道。这意味着他们需要能够为代码管道步骤创建IAM角色

这意味着我们需要为开发人员提供IAM功能。是否有一种方法可以限制这一点,即他们可以创建的IAM角色仅限于创建某些服务?比如ECS、EC2、RDS相关动作。或者可能特别将某些服务(如IAM相关操作)列入黑名单。

是。为此,我们为开发人员提供了一个角色(可通过CodeBuild实现),该角色能够根据权限边界创建其他角色。我们鼓励他们将代码管道分解为多个阶段,每个阶段都有各自的角色。他们使用这个代码构建角色来加速他们的管道。角色在可以传递给哪些服务以及可以执行哪些操作方面受到限制

有关如何做到这一点的信息如下:

  DeveloperPipelineCreateRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: "Developer-pipeline-create-role"
      ManagedPolicyArns:
        - !Ref DeveloperPipelineCreatePolicy
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - codebuild.amazonaws.com
            Action:
              - sts:AssumeRole

  DeveloperPipelineCreatePolicy:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      ManagedPolicyName: "Developer-pipeline-create-policy"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
        - Sid: AllowCreateRoles
          Effect: Allow
          Action:
            - iam:CreateRole
            - iam:DetachRolePolicy
            - iam:AttachRolePolicy
            - iam:PutRolePermissionsBoundary
          Resource: !Sub 'arn:aws:iam::${AWS::AccountId}:role/*'
          Condition:
            StringEquals:
              iam:PermissionsBoundary:
                - !Sub 'arn:aws:iam::${AWS::AccountId}:policy/pipeline-iam-boundary'
                - !Sub 'arn:aws:iam::${AWS::AccountId}:policy/source-iam-boundary'
                - !Sub 'arn:aws:iam::${AWS::AccountId}:policy/build-iam-boundary'
                - !Sub 'arn:aws:iam::${AWS::AccountId}:policy/deploy-iam-boundary'
                - !Sub 'arn:aws:iam::${AWS::AccountId}:policy/execution-iam-boundary'

  CodePipelineBoundary:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      ManagedPolicyName: !Sub "pipeline-iam-boundary"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Action:
            - iam:PassRole
            Resource: "*"
            Effect: Allow
            Condition:
              StringEqualsIfExists:
                iam:PassedToService:
                - cloudformation.amazonaws.com
                - elasticbeanstalk.amazonaws.com
                - ec2.amazonaws.com
                - ecs-tasks.amazonaws.com
          - Sid: AddStuffYourPipelineRoleMightDo
            Effect: Allow
            Action: (something)
            Resource: (something)

    SourceBoundary: (similar to above)
    BuildBoundary: (similar to above)
    ...
查看示例。