- 最新
- 最多得票
- 最多評論
You can apply read-only for resources, and one of CreateStack for the AWS CloudFormation service, in the same role. I understand that this mode is easier to manage. You will only have one role to manage.
One drawback I can think of would be using the Console to Deploy CloudFormation if that is needed. You will need to create a CloudFormation role that the users could also assume in the CFN wizard. That is an easy fix. Other than that, I don't see any issues with this method. There are however may ways to accomplish this. Off the top of my head, this seems to be the absolute most restrictive.
Apparently, using aws:UserAgent
condition context key is a better solution to the problem. Reference values for the userAgent can be taken from CloudTrail documentation.
相關內容
- 已提問 1 年前
- AWS 官方已更新 2 年前
- AWS 官方已更新 5 個月前
- AWS 官方已更新 9 個月前