问题描述

我有两个AWS账户(Account A & B).我想允许Account B的几个IAM用户通过AWS IAM角色访问Account A的资源.

I have two AWS accounts(Account A & B). I want to allow few IAM users of Account B to access resources of Account A via AWS IAM roles.

我已经创建了该角色，并且可以正常工作.但是，我看到拥有角色名称的任何IAM用户都可以切换角色并访问资源.

I have created the role and it works fine. However, I see that any IAM user who gets hold of the role name is able to switch roles and access the resources.

是否有一种方法只能允许帐户B的特定用户切换到该角色?

Is there a way to allow only specific users of Account B to be able to switch to the role?

信任策略声明如下-

 {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::Account-B:root"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

推荐答案

您可以将应限制使用该角色的用户添加到组中.然后，您可以使用明确的拒绝"将IAM策略附加到IAM组.

You can add the users who should be restricted to assume the role to a group. Then you can attach IAM policy to the IAM group with an explicit Deny.

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Deny",
    "Action": "sts:AssumeRole",
    "Resource": "arn:aws:iam::Account_A_ID:role/Rolename"
  }
}

http://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html#tutorial_cross-account-with-roles.html #tutorial_cross-account-with-roles-2

这篇关于允许选定的IAM用户切换角色的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！