我有一个测试帐户,我希望让开发人员可以尝试他们喜欢的任何内容除了我不想给他们添加/删除/弄乱其他用户的权限。我尝试允许所有内容然后拒绝IAM访问,但他们无法更改自己的密码。例如:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"*"
],
"Resource": [
"*"
]
},
{
"Effect": "Deny",
"Action": [
"iam:*"
],
"Resource": [
"*"
]
},
]
}
这使得用户在尝试登录并更改其密码时出现以下错误:
User is not authorized to perform iam:ChangePassword
答案 0 :(得分:1)
我找到了一个答案,我只能适度考虑。我通过拒绝每个IAM操作来完成此操作,除了能够更改密码和查看密码要求。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"*"
],
"Resource": [
"*"
]
},
{
"Effect": "Deny",
"Action": [
"iam:AddRoleToInstanceProfile",
"iam:AddUserToGroup",
"iam:AddClientIDToOpenIDConnectProvider",
"iam:AttachGroupPolicy",
"iam:AttachRolePolicy",
"iam:AttachUserPolicy",
"iam:CreateAccessKey",
"iam:CreateAccountAlias",
"iam:CreateGroup",
"iam:CreateInstanceProfile",
"iam:CreateLoginProfile",
"iam:CreateOpenIDConnectProvider",
"iam:CreatePolicy",
"iam:CreatePolicyVersion",
"iam:CreateRole",
"iam:CreateSAMLProvider",
"iam:CreateUser",
"iam:CreateVirtualMFADevice",
"iam:DeactivateMFADevice",
"iam:DeleteAccessKey",
"iam:DeleteAccountAlias",
"iam:DeleteAccountPasswordPolicy",
"iam:DeleteGroup",
"iam:DeleteGroupPolicy",
"iam:DeleteInstanceProfile",
"iam:DeleteLoginProfile",
"iam:DeleteOpenIDConnectProvider",
"iam:DeletePolicy",
"iam:DeletePolicyVersion",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DeleteSAMLProvider",
"iam:DeleteSSHPublicKey",
"iam:DeleteServerCertificate",
"iam:DeleteSigningCertificate",
"iam:DeleteUser",
"iam:DeleteUserPolicy",
"iam:DeleteVirtualMFADevice",
"iam:DetachGroupPolicy",
"iam:DetachRolePolicy",
"iam:DetachUserPolicy",
"iam:EnableMFADevice",
"iam:GenerateCredentialReport",
"iam:GenerateServiceLastAccessedDetails",
"iam:GetAccessKeyLastUsed",
"iam:GetAccountAuthorizationDetails",
"iam:GetAccountSummary",
"iam:GetContextKeysForCustomPolicy",
"iam:GetContextKeysForPrincipalPolicy",
"iam:GetCredentialReport",
"iam:GetGroup",
"iam:GetGroupPolicy",
"iam:GetInstanceProfile",
"iam:GetLoginProfile",
"iam:GetOpenIDConnectProvider",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:GetSAMLProvider",
"iam:GetSSHPublicKey",
"iam:GetServerCertificate",
"iam:GetServiceLastAccessedDetails",
"iam:GetServiceLastAccessedDetailsWithEntities",
"iam:GetUser",
"iam:GetUserPolicy",
"iam:ListAccessKeys",
"iam:ListAccountAliases",
"iam:ListAttachedGroupPolicies",
"iam:ListAttachedRolePolicies",
"iam:ListAttachedUserPolicies",
"iam:ListEntitiesForPolicy",
"iam:ListGroupPolicies",
"iam:ListGroups",
"iam:ListGroupsForUser",
"iam:ListInstanceProfiles",
"iam:ListInstanceProfilesForRole",
"iam:ListMFADevices",
"iam:ListOpenIDConnectProviders",
"iam:ListPolicies",
"iam:ListPoliciesGrantingServiceAccess",
"iam:ListPolicyVersions",
"iam:ListRolePolicies",
"iam:ListRoles",
"iam:ListSAMLProviders",
"iam:ListSSHPublicKeys",
"iam:ListServerCertificates",
"iam:ListSigningCertificates",
"iam:ListUserPolicies",
"iam:ListUsers",
"iam:ListVirtualMFADevices",
"iam:PassRole",
"iam:PutGroupPolicy",
"iam:PutRolePolicy",
"iam:PutUserPolicy",
"iam:RemoveClientIDFromOpenIDConnectProvider",
"iam:RemoveRoleFromInstanceProfile",
"iam:RemoveUserFromGroup",
"iam:ResyncMFADevice",
"iam:SetDefaultPolicyVersion",
"iam:SimulateCustomPolicy",
"iam:SimulatePrincipalPolicy",
"iam:UpdateAccessKey",
"iam:UpdateAccountPasswordPolicy",
"iam:UpdateAssumeRolePolicy",
"iam:UpdateGroup",
"iam:UpdateLoginProfile",
"iam:UpdateOpenIDConnectProviderThumbprint",
"iam:UpdateSAMLProvider",
"iam:UpdateSSHPublicKey",
"iam:UpdateServerCertificate",
"iam:UpdateSigningCertificate",
"iam:UpdateUser",
"iam:UploadSSHPublicKey",
"iam:UploadServerCertificate",
"iam:UploadSigningCertificate"
],
"Resource": [
"*"
]
}
]
}
它有效,但我喜欢更简洁/未来的东西。
答案 1 :(得分:1)
要获得更简洁的答案,您可以使用外卡。不完美的未来证据,但这些是大多数有害的动词。 :)
此外,我发现政策模拟器非常有用:IAM policy simulator
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
},
{
"Effect": "Deny",
"Action": [
"iam:Add*",
"iam:Create*",
"iam:Deactivate*",
"iam:Delete*",
"iam:Detach*",
"iam:Enable*",
"iam:PassRole",
"iam:Put*",
"iam:Remove*",
"iam:Resync*",
"iam:Set*",
"iam:Simulate*",
"iam:Update*",
"iam:Put*"
],
"Resource": "*"
}
]}
答案 2 :(得分:1)
您可以使用类似下面的内容。使用NotAction。除了您在NotAction中提到的内容外,这将拒绝IAM的所有内容。您可以使用下面的方法创建用户,但请注意,您还必须分配策略/角色,因此请为“ NotAction”下的用户添加权限。除了“ NotAction”中指定的操作外,其他所有内容都将在IAM控制台中被阻止。策略的另一部分允许控制台中的所有内容。因此,仅在允许IAM的所有内容和某些属性的同时阻止IAM。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Deny",
"NotAction": [
"iam:CreateUser"
],
"Resource": "arn:aws:iam::*:*"
},
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
最好的问候, 桑耶夫B。
答案 3 :(得分:0)
我将以下内容用于不需要访问用户/组/策略更改的 Infra 管理员。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"*"
],
"Resource": [
"*"
]
},
{
"Effect": "Deny",
"Action": [
"iam:AddUserToGroup",
"iam:AddClientIDToOpenIDConnectProvider",
"iam:AttachGroupPolicy",
"iam:AttachRolePolicy",
"iam:AttachUserPolicy",
"iam:CreateGroup",
"iam:CreateLoginProfile",
"iam:CreateOpenIDConnectProvider",
"iam:CreatePolicy",
"iam:CreatePolicyVersion",
"iam:CreateRole",
"iam:CreateSAMLProvider",
"iam:CreateUser",
"iam:DeleteAccountPasswordPolicy",
"iam:DeleteGroup",
"iam:DeleteGroupPolicy",
"iam:DeleteLoginProfile",
"iam:DeleteOpenIDConnectProvider",
"iam:DeletePolicy",
"iam:DeletePolicyVersion",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DeleteSAMLProvider",
"iam:DeleteUser",
"iam:DeleteUserPolicy",
"iam:DetachGroupPolicy",
"iam:DetachRolePolicy",
"iam:DetachUserPolicy",
"iam:PutGroupPolicy",
"iam:PutRolePolicy",
"iam:PutUserPolicy",
"iam:RemoveClientIDFromOpenIDConnectProvider",
"iam:RemoveUserFromGroup",
"iam:SetDefaultPolicyVersion",
"iam:UpdateAccountPasswordPolicy",
"iam:UpdateAssumeRolePolicy",
"iam:UpdateGroup",
"iam:UpdateLoginProfile",
"iam:UpdateOpenIDConnectProviderThumbprint",
"iam:UpdateSAMLProvider",
"iam:UpdateUser",
],
"Resource": [
"*"
]
}
]
}