search

Time-based access control

hashtag
Summary of the IAM Policy Document

The IAM policy document outlined specifies a set of permissions that allow certain actions to be performed on various AWS services. These actions include describing, listing, getting statuses, tagging, and looking up events across services like ACM, CloudTrail, CloudWatch, Config, Detective, EC2, GuardDuty, IAM, Inspector, KMS, S3, Secrets Manager, SecurityHub, and Trusted Advisor.

  • Effect: Allow - This policy allows the actions specified.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                    "acm:Describe*",
                    "acm:List*",
                    "cloudtrail:Describe*",
                    "cloudtrail:Get*",
                    "cloudtrail:GetTrailStatus",
                    "cloudtrail:ListTags",
                    "cloudtrail:LookupEvents",
                    "cloudwatch:Describe*",
                    "cloudwatch:ListTagsForResource",
                    "config:BatchGetAggregateResourceConfig",
                    "config:BatchGetResourceConfig",
                    "config:Deliver*",
                    "config:Describe*",
                    "config:Get*",
                    "config:List*",
                    "detective:GetGraphIngestState",
                    "detective:ListGraphs",
                    "detective:ListMembers",
                    "ec2:Describe*",
                    "ec2:Get*",
                    "guardduty:DescribePublishingDestination",
                    "guardduty:Get*",
                    "guardduty:List*",
                    "iam:GenerateCredentialReport",
                    "iam:GenerateServiceLastAccessedDetails",
                    "iam:Get*",
                    "iam:List*",
                    "inspector:Describe*",
                    "kms:Describe*",
                    "kms:Get*",
                    "kms:List*",
                    "s3:Get*",
                    "s3:List*",
                    "secretsmanager:DescribeSecret",
                    "secretsmanager:GetResourcePolicy",
                    "secretsmanager:List*",
                    "securityhub:Describe*",
                    "securityhub:Get*",
                    "securityhub:List*",
                    "trustedadvisor:Describe*"
            ],
            "Resource": "*",
            "Condition": {
                "DateGreaterThan": {
                    "aws:CurrentTime": "2024-07-26T00:00:00Z"
                },
                "DateLessThan": {
                    "aws:CurrentTime": "2024-07-27T23:59:59Z"
                }
            }
        }
    ]
}
上一页AllowSSLRequestsOnly下一页场景化IAM实践-应用程序安全

最后更新于