SecurityManager
安全管理员
安全管理员可以管理所有的安全产品,并负责对安全问题进行调查和响应。
如何配置
IAM
Step 1: 创建group
Global区域:推荐使用IAM Identity Center,创建Group,可以起名为SecurityManager;
China区域:使用IAM,创建User Groups,可以起名为SecurityManager;
Step2: 创建policies
1)创建新的策略,策略中允许创建和管理相关的安全产品
如果有特殊需求,可以复制出预置策略,在预置策略的基础上进行修改。
如果策略不包含需要管理的安全产品,可以再创建一个策略,可以完全管理某个安全产品,将这个策略配置给安全管理员的group。
下面的代码示例中将“service-name”替换为安全产品的名字,比如“kms”。
为了提升安全性,建议加上condition条件限制访问的IP地址范围,开启MFA等,或者如果是多账号,则推荐使用SCP进行条件限制,可以参考限制高危操作使用条件。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SecurityAdmin",
"Effect": "Allow",
"Action": [
"acm-pca:*",
"macie2:*",
"kms:*",
"tag:*",
"acm:*",
"inspector:*",
"secretsmanager:*",
"securityhub:*",
"securitylake:*",
"cloudhsm:*",
"access-analyzer:*",
"verified-access:*",
"athena:*",
"cloudtrail:*",
"logs:*",
"cloudtrail-data:*",
"config:*",
"detective:*",
"guardduty:*",
"pca-connector-ad:*",
"rolesanywhere:*",
"sso-directory:*",
"sso:*",
"lakeformation:*",
"events:*",
"ssm:*",
"lambda:*",
"inspector2:*",
"shield:*",
"waf:*",
"waf-regional:*",
"wafv2:*",
"network-firewall:*",
"fms:*",
"controltower:*",
"ds:DescribeDirectories",
"ds:AuthorizeApplication",
"ds:UnauthorizeApplication",
"ds:DescribeTrusts",
"organizations:EnableAWSServiceAccess",
"organizations:DescribeOrganization",
"organizations:DescribeAccount",
"organizations:ListRoots",
"organizations:ListAccounts",
"organizations:ListAccountsForParent",
"organizations:ListParents",
"organizations:ListChildren",
"organizations:ListOrganizationalUnitsForParent",
"organizations:ListDelegatedAdministrators",
"identitystore:*",
"identitystore-auth:*",
"ds:CreateAlias",
"access-analyzer:ValidatePolicy"
],
"Resource": "*"
},
{
"Sid": "AWSSSOManageDelegatedAdministrator",
"Effect": "Allow",
"Action": [
"organizations:RegisterDelegatedAdministrator",
"organizations:DeregisterDelegatedAdministrator"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"organizations:ServicePrincipal": "sso.amazonaws.com"
}
}
}
]
}Step3: 创建user,放入分组中
给允许拥有安全管理员权限的人创建user,并分配到之前创建的SecurityManager的组中。
最后更新于