- 最新
- 投票最多
- 评论最多
What IAM policies have you set up?
The following documentation shows that only a limited number of "Instances" can be set to "Resource".
https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonlightsail.html#amazonlightsail-actions-as-permissions
For example, the following IAM policy will allow you to view all Lightsail instances, but restrict instance operations to those instances configured in "Resource".
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "lightsail:*",
"Resource": "arn:aws:lightsail:us-west-2:xxxxxxxxxxxxx:Instance/xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx"
},
{
"Effect": "Allow",
"Action": "lightsail:Get*",
"Resource": "*"
}
]
}
That worked, thank you!
However, the current IAM user can still see all the Lightsail VM's of the root account (even though they can not control it) Is there a way to restrict this access so they only see the designated resource in the policy?
Perhaps giving an outside IAM user (not under root) access to the Lightsail resource?
Tags can be used to filter access to Lightsail resources https://lightsail.aws.amazon.com/ls/docs/en_us/articles/amazon-lightsail-controlling-access-using-tags
相关内容
- AWS 官方已更新 3 年前
- AWS 官方已更新 3 年前
- AWS 官方已更新 2 年前
It may be possible with tag-based control, but it is not possible to hide it with resource-based control.