允许AWS服务访问 aws:PrincipalIsAWSService

aws:PrincipalIsAWSService: null 这种情况会在AWS IAM策略评估期间出现,表示请求的发出者不是一个AWS服务。 换句话说,请求并非来自AWS内部的服务,而是来自外部的实体,例如:

  • IAM用户: 直接登录AWS控制台或使用AWS CLI的用户。

  • IAM角色: 由IAM用户或其他AWS服务所承担的角色。

  • Federated用户: 通过诸如SAML或OIDC之类的联合身份提供商进行身份验证的用户。

Bool in an Allow Statement

Policy Condition

Request Context

Result

"Bool": {
  "aws:PrincipalIsAWSService": "true"
}

aws:PrincipalIsAWSService: null

Not AllowedStatement does not apply

"Bool": {
  "aws:PrincipalIsAWSService": "true"
}

aws:PrincipalIsAWSService: true

AllowedAssuming no explicit Deny elsewhere

"Bool": {
  "aws:PrincipalIsAWSService": "true"
}

aws:PrincipalIsAWSService: false

Not AllowedStatement does not apply

BoolIfExists in an Allow Statement

Policy Condition

Request Context

Result

"BoolIfExists": {
  "aws:PrincipalIsAWSService": "true"
}

aws:PrincipalIsAWSService: null

AllowedAssuming no explicit Deny elsewhere

"BoolIfExists": {
  "aws:PrincipalIsAWSService": "true"
}

aws:PrincipalIsAWSService: true

AllowedAssuming no explicit Deny elsewhere

"BoolIfExists": {
  "aws:PrincipalIsAWSService": "true"
}

aws:PrincipalIsAWSService: false

Not AllowedStatement does not apply

上一页允许某个请求者操作 - ArnLike/ArnLikeIfExists下一页添加虚拟MFA或硬件MFA

最后更新于