阻止 IaC 已经支持的所有行动
如果已经使用了基础架构即代码,那么自动流程执行的操作就不允许在控制台手动操作。因为在已有的流水线中,我们可以保证资源已采取安全加固措施并获得很好的保护。您一定不希望员工随意修改资源并将其置于风险之中。
禁止修改由AWS Control Tower 和 AWS CloudFormation创建的IAM Roles
如果没有使用Control Tower则可以禁止修改由CloudFormation自动创建出来的role。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "GRIAMROLEPOLICY",
"Effect": "Deny",
"Action": [
"iam:AttachRolePolicy",
"iam:CreateRole",
"iam:DeleteRole",
"iam:DeleteRolePermissionsBoundary",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:PutRolePermissionsBoundary",
"iam:PutRolePolicy",
"iam:UpdateAssumeRolePolicy",
"iam:UpdateRole",
"iam:UpdateRoleDescription"
],
"Resource": [
"arn:aws:iam::*:role/aws-controltower-*",
"arn:aws:iam::*:role/*AWSControlTower*",
"arn:aws:iam::*:role/stacksets-exec-*"
],
"Condition": {
"ArnNotLike": {
"aws:PrincipalArn": [
"arn:aws:iam::*:role/AWSControlTowerExecution",
"arn:aws:iam::*:role/stacksets-exec-*"
]
}
}
}
]
}禁止修改由CloudFormation创建出来的 AWS Lambda Functions
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "GRLAMBDAFUNCTIONPOLICY",
"Effect": "Deny",
"Action": [
"lambda:AddPermission",
"lambda:CreateEventSourceMapping",
"lambda:CreateFunction",
"lambda:DeleteEventSourceMapping",
"lambda:DeleteFunction",
"lambda:DeleteFunctionConcurrency",
"lambda:PutFunctionConcurrency",
"lambda:RemovePermission",
"lambda:UpdateEventSourceMapping",
"lambda:UpdateFunctionCode",
"lambda:UpdateFunctionConfiguration"
],
"Resource": [
"arn:aws:iam::*:role/stacksets-exec-*"
],
"Condition": {
"ArnNotLike": {
"aws:PrincipalArn": [
"arn:aws:iam::*:role/stacksets-exec-*"
]
}
}
}
]
}
禁止修改由CloudFormation创建出来的Amazon SNS
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "GRSNSTOPICPOLICY",
"Effect": "Deny",
"Action": [
"sns:AddPermission",
"sns:CreateTopic",
"sns:DeleteTopic",
"sns:RemovePermission",
"sns:SetTopicAttributes",
"sns:Subscribe",
"sns:Unsubscribe"
],
"Resource": [
"arn:aws:iam::*:role/stacksets-exec-*"
],
"Condition": {
"ArnNotLike": {
"aws:PrincipalArn": [
"arn:aws:iam::*:role/stacksets-exec-*"
]
}
}
}
]
}
最后更新于