Policy IAM user Appstream2.0

Is it possible to give access only to a certain image, stack, or fleet with IAM policies?

Do you have any examples?

I tried with a policy but it returns this error:

User: arn:aws:iam::xxxxxxxxx:user/xxxxxxxx is not authorized to perform: appstream:DescribeFleets on resource: arn:aws:appstream:eu-central-1:xxxxxxxxxxx:fleet/* because no boundary policy allows the appstream:DescribeFleets action

My need is: in an AWS account, an IAM user must only see some image/fleet/stack.

thanks

주제

보안, 신원 및 규정 준수 관리 및 거버넌스 최종 사용자 컴퓨팅

태그

AWS 자격 증명 및 액세스 관리 AWS 관리 콘솔 AWS 명령줄 인터페이스 아마존 AppStream IAM 정책

언어

English

AWS-User-6631477

질문됨 2년 전645회 조회

1개 답변

최신
최다 투표
가장 많은 댓글

The AppStream 2.0 console doesn't currently support restricting what a user can see based on tags or other resource boundary. For example, the Stacks page calls the AppStream 2.0 API "DescribeStacks" without specifying any boundaries or tags. You can use tags to prevent a user from updating an AppStream 2.0 resource without specify a specific tag - for example, if a user/role should only be able to modify resources with a tag key of "Stage" and value of "NonProd", you can specify that as a condition.

전문가

MuraliAtAWS

답변함 2년 전

AWS-User-6631477
2년 전
thanks for your answer MuraliAtAWS. So a policy with these controls (see example) is not possible?

"Resource": [ "arn:aws:appstream:eu-central-1:123.....:image-builder/imagebuilder01" "arn:aws:appstream:eu-central-1:123.....:stack/stack01", "arn:aws:appstream:eu-central-1:123.....:app-block/", "arn:aws:appstream:eu-central-1:123.....:fleet/fleet1", "arn:aws:appstream:eu-central-1:123.....:application/", "arn:aws:appstream:eu-central-1:123.....:image/image01" ], "Condition": { "StringEqualsIfExists": { "aws:username": "user01" } }

Policy IAM user Appstream2.0

관련 콘텐츠