1 Resposta
- Mais recentes
- Mais votos
- Mais comentários
0
There is a workaround to grant permissions to assumed-role users by using the aws:userid Policy Variable and [IAM Policy Conditions] (http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#Condition). The approach is outlined in this AWS Blog post.
KMS/Lamba-Specific Approach:
- Create a new Role to act as the execution role for Lambda. (e.g.
lambda_test_kms_execution
) - Make sure to give the Execution role permissions to create the alias:
{
"Effect": "Allow",
"Action": "kms:CreateAlias",
"Resource": "*"
}
- Use the AWS CLI to get the Unique RoleId for the role:
aws iam get-role --role-name lambda_test_kms_execution
- Assume the output contains
"RoleId": "ARO1234567890"
-
Add statement(s) to the KMS key policy that use
Condition
to matchaws:userid
against the unique RoleId:{ "Sid": "Deny IAM User Permissions", "Effect": "Deny", "Principal": { "AWS": "*" }, "Action": "kms:CreateAlias", "Resource": "*", "Condition": { "StringNotLike": { "aws:userid": "ARO1234567890:*" } } }
respondido há 8 anos
Conteúdo relevante
- AWS OFICIALAtualizada há 3 meses