仅访问可信资源
策略声明包含在resource_perimeter_policy,限制仅允许访问可信资源:
资源属于你的Organizations ,替换策略中的组织 ID (
<my-org-id>) ;
此身份策略应用于 IAM principals,以防止他们与不属于特定账户的资源进行交互。例如,您可以使用此策略拒绝访问不属于组织的 SQS、SNS 和 S3 资源,全局条件关键字为 aws:resourceOrgId。
允许组织外访问,则给请求者添加标签:resource-perimeter-exception: true
{
"Version": "2012-10-17",
"Statement": [
{
"Sid":"EnforceResourcePerimeterAWSResources",
"Effect":"Deny",
"NotAction":[
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:ListEntitiesForPolicy",
"iam:ListPolicyVersions",
"iam:GenerateServiceLastAccessedDetails",
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl",
"ssm:Describe*",
"ssm:List*",
"ssm:Get*",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"<action>"
],
"Resource":"*",
"Condition":{
"StringNotEqualsIfExists":{
"aws:ResourceOrgID":"<my-org-id>",
"ec2:Owner":"amazon",
"aws:PrincipalTag/resource-perimeter-exception": "true"
}
}
},
{
"Sid":"EnforceResourcePerimeterAWSResourcesS3",
"Effect":"Deny",
"Action":[
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource":"*",
"Condition":{
"StringNotEqualsIfExists":{
"aws:ResourceOrgID":"<my-org-id>",
"aws:PrincipalTag/resource-perimeter-exception": "true"
},
"ForAllValues:StringNotEquals":{
"aws:CalledVia":[
"dataexchange.amazonaws.com",
"servicecatalog.amazonaws.com"
]
}
}
},
{
"Sid": "EnforceResourcePerimeterAWSResourcesECR",
"Effect": "Deny",
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage"
],
"Resource": "*",
"Condition": {
"StringNotEqualsIfExists": {
"aws:ResourceAccount": "ecr-account-id",
"aws:ResourceOrgId": "<my-org-id>",
"aws:PrincipalTag/resource-perimeter-exception": "true"
}
}
},
{
"Sid":"EnforceResourcePerimeterThirdPartyResources",
"Effect":"Deny",
"Action":"<action>",
"Resource":"*",
"Condition":{
"StringNotEqualsIfExists":{
"aws:ResourceOrgID":"<my-org-id>",
"aws:PrincipalTag/resource-perimeter-exception": "true",
"aws:ResourceAccount": [
"<third-party-account-a>",
"<third-party-account-b>"
]
}
}
}
]
}最后更新于