我有一个secret in secret管理器,系统中有多个IAM角色。我只想让一个角色访问权杖。不幸的是,还有一些其他IAM角色具有完全的机密管理器权限。所以我想限制所有其他角色对秘密的访问,除了我想要的角色
角色
- IAM_role_hat_need_to_access_the_secret
- IAM_role_1_hat_sshould_not_access_the_secret
- IAM_role_2_hat_sshould_not_access_the_secret
以下各项正在工作。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "secretsmanager:GetSecretValue",
"Principal": {
"AWS": "arn:aws:iam::IAM_role_1_that_should_not_access_the_secret",
"AWS": "arn:aws:iam::IAM_role_2_that_should_not_access_the_secret"
},
"Resource": "*"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::IAM_role_that_need_to_access_the_secret"
},
"Action": "secretsmanager:GetSecretValue",
"Resource": "*",
"Condition": {
"ForAnyValue:StringEquals": {
"secretsmanager:VersionStage": "AWSCURRENT"
}
}
}
]
}
但我想拒绝访问所有角色,而不在"拒绝权限"部分明确提及每个角色。下面是这样的。但它将限制为所有角色,包括所需的角色。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "secretsmanager:GetSecretValue",
"Principal": {"AWS": "*"},
"Resource": "*"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::IAM_role_that_need_to_access_the_secret"
},
"Action": "secretsmanager:GetSecretValue",
"Resource": "*",
"Condition": {
"ForAnyValue:StringEquals": {
"secretsmanager:VersionStage": "AWSCURRENT"
}
}
}
]
}
更新:
我询问了AWS支持部门,他们说:
NotPrinicipal通过显式拒绝使资源策略失败是一个已知问题。解决方法是使用
"StringNotEquals":"aws:PrincipalArn"条件键。
上一个答案:
您可以使用:NotPrincipal
{
"Effect": "Deny",
"NotPrincipal": {
"AWS": "arn:aws:iam::IAM_role_that_need_to_access_the_secret"
},
"Action": "secretsmanager:GetSecretValue",
"Resource": "*",
...
您可以创建一个KMS密钥,然后为KMS密钥创建一个策略,该策略只授予您需要的角色访问权限。如下所示:
{
"Version": "2012-10-17",
"Id": "key-default-admin",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<AWS_ACCOUNT_ID>:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow administration of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<AWS_ACCOUNT_ID>:role/<ROLE_NAME>",
"arn:aws:iam::<AWS_ACCOUNT_ID>:role/<ROLE_NAME>"
]
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<AWS_ACCOUNT_ID>:role/AdminRole",
"arn:aws:iam::<AWS_ACCOUNT_ID>:role/<ROLE_NAME>"
]
},
"Action": [
"kms:DescribeKey",
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey",
"kms:GenerateDataKeyWithoutPlaintext"
],
"Resource": "*"
},
{
"Sid": "Deny use of the key",
"Effect": "Deny",
"Principal": {
"AWS": "arn:aws:iam::<AWS_ACCOUNT_ID>:root"
},
"Action": "kms:*",
"Resource": "*",
"Condition": {
"StringNotLike": {
"aws:PrincipalArn": [
"arn:aws:iam::<AWS_ACCOUNT_ID>:role/<ROLE_NAME>",
"arn:aws:iam::<AWS_ACCOUNT_ID>:role/<ROLE_NAME>"
]
}
}
}
]
}我能够通过使用资源策略上的条件并指定aws:PrincipalArn中角色的ARN来实现这一点(参考:https://aws.amazon.com/blogs/security/iam-makes-it-easier-to-manage-permissions-for-aws-services-accessing-resources/)
{
"Version" : "2012-10-17",
"Statement" : [
{
"Sid" : "Get",
"Effect" : "Deny",
"Principal" : "*",
"Action" : "secretsmanager:GetSecretValue",
"Resource" : "<<ARN OF Secret>>",
"Condition" : {
"StringNotLike" : {
"aws:PrincipalArn" : [
"<<ARN of IAM_role_that_need_to_access_the_secret>>" ]
}
}
} ]
}