用SCP限制创建IAM User结合安全规范要求指定人员才能创建

IAM用户会导致严重的安全风险,容易造成安全凭据丢失,并且在很多使用场景中都能够通过IAM Role角色替代,因此,建议制定安全政策,要求如果想要使用IAM用户必须提交申请,由专门的人创建IAM用户,其他任何人就算授予了权限,也应该通过SCP拒绝。

SCP示例策略如下:

替换里面的userid,参考文档使用https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#principaltable

{
  "Effect": "Deny",
  "Action": [
        "iam:ListUsers",
				"iam:ListUserPolicies",
				"iam:ListUserTags",
				"iam:GetUser",
				"iam:GetUserPolicy",
				"iam:AddUserToGroup",
				"iam:CreateUser",
				"iam:DeleteUser",
				"iam:RemoveUserFromGroup",
				"iam:UpdateUser",
				"iam:AttachUserPolicy",
				"iam:DeleteUserPermissionsBoundary",
				"iam:DeleteUserPolicy",
				"iam:DetachUserPolicy",
				"iam:PutUserPermissionsBoundary",
				"iam:PutUserPolicy",
				"iam:TagUser",
				"iam:UntagUser"
  ],
  "Resource": "*",
  "Condition": {
    "StringLike": {
      "aws:userid": [<IAM user unique ID>, "account:caller-specified-name"]
    }
  }
}
上一页Centralize Root Access In AWS(AssumeRoot)下一页特权账号管理实践

最后更新于