- 최신
- 최다 투표
- 가장 많은 댓글
What IAM policies have you set up?
The following documentation shows that only a limited number of "Instances" can be set to "Resource".
https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonlightsail.html#amazonlightsail-actions-as-permissions
For example, the following IAM policy will allow you to view all Lightsail instances, but restrict instance operations to those instances configured in "Resource".
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "lightsail:*",
"Resource": "arn:aws:lightsail:us-west-2:xxxxxxxxxxxxx:Instance/xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx"
},
{
"Effect": "Allow",
"Action": "lightsail:Get*",
"Resource": "*"
}
]
}
That worked, thank you!
However, the current IAM user can still see all the Lightsail VM's of the root account (even though they can not control it) Is there a way to restrict this access so they only see the designated resource in the policy?
Perhaps giving an outside IAM user (not under root) access to the Lightsail resource?
Tags can be used to filter access to Lightsail resources https://lightsail.aws.amazon.com/ls/docs/en_us/articles/amazon-lightsail-controlling-access-using-tags
관련 콘텐츠
- 질문됨 일 년 전
AWS 공식업데이트됨 8달 전
It may be possible with tag-based control, but it is not possible to hide it with resource-based control.