- 最新
- 最多得票
- 最多評論
The documentation has been update to account for this exception.
Role trust policies and KMS key policies are exceptions to this logic, because they must explicitly allow access for principals.
A user or resource can only assume an identity given the user/resource has "sts:assumerole" permissions for Role A, and role A trusts the user or the entire account that includes users B and C. However, User C would not be able to assume role A unless trusted by Role A even with "sts:assumerole" as a result of least privilege. Principles are not allowed to assume a role unless they are explicitly allowed to in the role’s trust policy. This is because there is an implicit deny by default. An explicit deny would require a Deny statement which would override any allow. This is done to prevent user C from assuming a role with more permissions than they should be allowed.
Attaching the following documentation regarding role trust policies here. https://aws.amazon.com/blogs/security/how-to-use-trust-policies-with-iam-roles/
相關內容
- 已提問 6 個月前
- AWS 官方已更新 2 年前
- AWS 官方已更新 2 年前
- AWS 官方已更新 2 年前
Actually I read that before but didn't notice , Thanks Alot