问题描述
我有两个AWS账户(Account A & B
).我想允许Account B
的几个IAM用户通过AWS IAM
角色访问Account A
的资源.
I have two AWS accounts(Account A & B
). I want to allow few IAM users of Account B
to access resources of Account A
via AWS IAM
roles.
我已经创建了该角色,并且可以正常工作.但是,我看到拥有角色名称的任何IAM用户都可以切换角色并访问资源.
I have created the role and it works fine. However, I see that any IAM user who gets hold of the role name is able to switch roles and access the resources.
是否有一种方法只能允许帐户B的特定用户切换到该角色?
Is there a way to allow only specific users of Account B to be able to switch to the role?
信任策略声明如下-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::Account-B:root"
},
"Action": "sts:AssumeRole"
}
]
}
推荐答案
您可以将应限制使用该角色的用户添加到组中.然后,您可以使用明确的拒绝"将IAM策略附加到IAM组.
You can add the users who should be restricted to assume the role to a group. Then you can attach IAM policy to the IAM group with an explicit Deny.
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Deny",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::Account_A_ID:role/Rolename"
}
}
这篇关于允许选定的IAM用户切换角色的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!