search

仅访问可信资源

策略声明包含在resource_perimeter_policyarrow-up-right,限制仅允许访问可信资源:

  • 资源属于你的Organizations ,替换策略中的组织 ID (<my-org-id>) ;

此身份策略应用于 IAM principals,以防止他们与不属于特定账户的资源进行交互。例如,您可以使用此策略拒绝访问不属于组织的 SQS、SNS 和 S3 资源,全局条件关键字为 aws:resourceOrgIdarrow-up-right

允许组织外访问,则给请求者添加标签:resource-perimeter-exception: true

{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Sid":"EnforceResourcePerimeterAWSResources",
         "Effect":"Deny",
         "NotAction":[
            "iam:GetPolicy",
            "iam:GetPolicyVersion",
            "iam:ListEntitiesForPolicy",
            "iam:ListPolicyVersions",
            "iam:GenerateServiceLastAccessedDetails",
            "s3:GetObject",
            "s3:PutObject",
            "s3:PutObjectAcl",
            "ssm:Describe*",
            "ssm:List*",
            "ssm:Get*",
            "ecr:GetDownloadUrlForLayer",
            "ecr:BatchGetImage",
            "<action>"

         ],
         "Resource":"*",
         "Condition":{
            "StringNotEqualsIfExists":{
               "aws:ResourceOrgID":"<my-org-id>",
               "ec2:Owner":"amazon",
               "aws:PrincipalTag/resource-perimeter-exception": "true"
            }
         }
      },
      {
         "Sid":"EnforceResourcePerimeterAWSResourcesS3",
         "Effect":"Deny",
         "Action":[
            "s3:GetObject",
            "s3:PutObject",
            "s3:PutObjectAcl"
         ],
         "Resource":"*",
         "Condition":{
            "StringNotEqualsIfExists":{
               "aws:ResourceOrgID":"<my-org-id>",
               "aws:PrincipalTag/resource-perimeter-exception": "true"
            },
            "ForAllValues:StringNotEquals":{
               "aws:CalledVia":[
                  "dataexchange.amazonaws.com",
                  "servicecatalog.amazonaws.com"
               ]
            }
         }
      },
      {
         "Sid": "EnforceResourcePerimeterAWSResourcesECR",
         "Effect": "Deny",
         "Action": [
           "ecr:GetDownloadUrlForLayer",
           "ecr:BatchGetImage"
         ],
         "Resource": "*",
         "Condition": {
             "StringNotEqualsIfExists": {
                 "aws:ResourceAccount": "ecr-account-id",
                 "aws:ResourceOrgId": "<my-org-id>",
                 "aws:PrincipalTag/resource-perimeter-exception": "true"
             }
         }
      },
      {
         "Sid":"EnforceResourcePerimeterThirdPartyResources",
         "Effect":"Deny",
         "Action":"<action>",
         "Resource":"*",
         "Condition":{
            "StringNotEqualsIfExists":{
               "aws:ResourceOrgID":"<my-org-id>",
               "aws:PrincipalTag/resource-perimeter-exception": "true",
               "aws:ResourceAccount": [
                  "<third-party-account-a>",
                  "<third-party-account-b>"
               ]
            }
         }
      }
   ]
}
上一页仅可信网络/预期网络下一页资源策略(Resource-based policies)示例策略

最后更新于