- 最新
- 投票最多
- 评论最多
The first recommendation it to add conditions to the trust policy of the role. This limits the principal that can assume it. Further in formation here - https://docs.aws.amazon.com/controltower/latest/userguide/conditions-for-role-trust.html and here - https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html
As for limiting the full authority the approach recommended is to set up a permissions boundary on the role. You can define the maximum permissions of role and even explicitly deny actions such as modifying or deleting logging buckets or even accessing the audit account all together. You would also want to define in the policy that it cannot perform actions in IAM on itself "NotResource:ROLE" and that it cannot edit the Permissions Boundary "NoBoundaryPolicyEdit". Examples of this are linked below.
https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html
相关内容
- AWS 官方已更新 2 年前