IAM Role Trust Policy

仅允许组织范围内的资源代入role:替换组织id,"<my-org-id>";

替换为允许代入role的第三方账号ID:"<third-party-account-a>"

还可以通过限制访问者的IP段以增加安全性。替换"<my-corporate-cidr>"为公司的办公网IP段。

或者也可以指定允许使用代入角色的某个iam role,替换"arn:aws:iam::<my-account-id>:role/aws-service-role/*"为可信的角色ARN。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "EnforceIdentityPerimeter",
            "Effect": "Deny",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "sts:AssumeRole",
                "sts:AssumeRoleWithWebIdentity"
            ],
            "Condition": {
                "StringNotEqualsIfExists": {
                    "aws:PrincipalOrgID": "<my-org-id>",
                    "aws:PrincipalAccount": [
                        "<third-party-account-a>",
                        "<third-party-account-b>"
                    ]
                },
                "BoolIfExists": {
                    "aws:PrincipalIsAWSService": "false"
                }
            }
        },
        {
            "Sid": "EnforceNetworkPerimeter",
            "Effect": "Deny",
            "Principal": {
                "AWS": "*"
              },
            "Action": [
                "sts:AssumeRole",
                "sts:AssumeRoleWithSAML",
                "sts:AssumeRoleWithWebIdentity"
            ],
            "Condition": {
                "NotIpAddressIfExists": {
                    "aws:SourceIp": "<my-corporate-cidr>"
                },
                "StringNotEqualsIfExists": {
                    "aws:SourceVpc": "<my-vpc>",
                    "aws:PrincipalTag/network-perimeter-exception": "true",
                    "aws:PrincipalAccount": [
                        "<third-party-account-a>",
                        "<third-party-account-b>"
                    ]
                },
                "BoolIfExists": {
                    "aws:PrincipalIsAWSService": "false",
                    "aws:ViaAWSService": "false"
                },
                "ArnNotLikeIfExists": {
                    "aws:PrincipalArn": "arn:aws:iam::<my-account-id>:role/aws-service-role/*"
                }
            }
        }
    ]
}

参考资料

Github - https://github.com/aws-samples/data-perimeter-policy-examples/blob/main/resource_based_policies/iam_role_trust_policy.json

上一页资源策略(Resource-based policies)示例策略下一页S3存储桶策略

最后更新于