RAM： 阻止外部共享

以下示例 SCP 阻止用户与组织外的 IAM 用户和角色进行资源共享。

没有任何例外

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "ram:CreateResourceShare",
                "ram:UpdateResourceShare"
            ],
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "ram:RequestedAllowsExternalPrincipals": "true"
                },
            }
        }
    ]
}

允许部分外部账号资源共享

以下 SCP 允许账户 111111111111 和 222222222222 创建共享前缀列表的资源共享，并将前缀列表与现有资源共享相关联。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "OnlyNamedAccountsCanSharePrefixLists",
            "Effect": "Deny",
            "Action": [
                "ram:AssociateResourceShare",
                "ram:CreateResourceShare"
            ],
            "Resource": "*",
            "Condition": {
                "StringNotEquals": {
                    "aws:PrincipalAccount": [
                        "111111111111",
                        "222222222222"
                    ]
                },
                "StringEquals": {
                    "ram:RequestedResourceType": "ec2:PrefixList"
                }
            }
        }
    ]
}

允许指定的IAM 用户和角色共享资源

以下示例 SCP 允许用户仅与组织 o-12345abcdef、组织部门 ou-98765fedcba 和账户 111111111111 共享资源。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "ram:AssociateResourceShare",
                "ram:CreateResourceShare"
            ],
            "Resource": "*",
            "Condition": {
                "ForAnyValue:StringNotEquals": {
                    "ram:Principal": [
                        "arn:aws:organizations::123456789012:organization/o-12345abcdef",
                        "arn:aws:organizations::123456789012:ou/o-12345abcdef/ou-98765fedcba",
                        "111111111111"
                    ]
                }
            }
        }
    ]
}

以下示例 SCP 允许用户仅与组织 o-12345abcdef、组织部门 ou-98765fedcba 和账户 111111111111 共享资源。

允许拥有特定标签的资源与外部分享

打了标签identity-perimeter-exception: true的资源允许与外部分享。

{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Sid": "PreventRAMExternalResourceShare",
         "Effect": "Deny",
         "Action": [
            "ram:CreateResourceShare",
            "ram:UpdateResourceShare"
         ],
         "Resource": "*",
         "Condition": {
            "StringNotEqualsIfExists": {
               "aws:PrincipalTag/identity-perimeter-exception": "true"
            },
            "Bool": {
               "ram:RequestedAllowsExternalPrincipals": "true"
            }
         }
      },
      {
         "Sid": "PreventExternalResourceShare",
         "Effect": "Deny",
         "Action": [
            "ec2:ModifyImageAttribute",
            "ec2:ModifyFPGAImageAttribute",
            "ec2:ModifySnapshotAttribute",
            "ec2:ModifyVpcEndpointServicePermissions",
            "ssm:ModifyDocumentPermission",
            "rds:ModifyDBSnapshotAttribute",
            "rds:ModifyDBClusterSnapshotAttribute",
            "redshift:AuthorizeDataShare",
            "redshift:AuthorizeSnapshotAccess",
            "ds:ShareDirectory",
            "logs:PutSubscriptionFilter",
            "lakeformation:GrantPermissions",
            "lakeformation:BatchGrantPermissions",
            "appstream:UpdateImagePermissions"
         ],
         "Resource": "*",
         "Condition": {
            "StringNotEqualsIfExists": {
               "aws:PrincipalTag/identity-perimeter-exception": "true"
            }
         }
      }
   }

参考资料

https://docs.aws.amazon.com/zh_cn/organizations/latest/userguide/orgs_manage_policies_scps_examples_ram.html