范围为特定区域的 AWS IAM PowerUser

Question

我正在尝试创建一个 AWS IAM 策略，该策略允许访问高级用户拥有的所有内容 (arn:aws:iam::aws:policy/PowerUserAccess)，但仅限于特定区域。

我从现有的超级用户政策开始，发现这篇文章：https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_ec2_region.html

所以我在 Power User Policy 中添加了“条件”，结果是：

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Resource": "*",
            "NotAction": [
                "iam:*",
                "organizations:*",
                "account:*"
            ],
            "Condition": {
                "StringEquals": {
                    "ec2:Region": "us-east-2"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:CreateServiceLinkedRole",
                "iam:DeleteServiceLinkedRole",
                "iam:ListRoles",
                "organizations:DescribeOrganization",
                "account:ListRegions"
            ],
            "Resource": "*"
        }
    ]
}

这似乎不起作用，因为我只能在指定区域创建 EC2 实例......但其他服务不可用：

Answer 1

当您在 Condition 键中使用 ec2:Region 时，即为 EC2 specific

您需要尝试使用aws:RequestedRegion 作为条件键。

但要小心，

一些全球服务，例如 IAM，只有一个端点。由于此终端节点物理上位于美国东部（弗吉尼亚北部）区域，因此始终会向 us-east-1 区域发出 IAM 调用

试试看

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Resource": "*",
            "NotAction": [
                "iam:*",
                "organizations:*",
                "account:*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:RequestedRegion": "us-east-2"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:CreateServiceLinkedRole",
                "iam:DeleteServiceLinkedRole",
                "iam:ListRoles",
                "organizations:DescribeOrganization",
                "account:ListRegions"
            ],
            "Resource": "*"
        }
    ]
}