我正在管理一个AWS帐户。现在,我的一个非特权用户要求我授予他创建IAM角色的权限。我知道IAM角色通常是最佳选择,但我担心他们将能够创建"跨帐户访问角色",并允许其他人访问我的AWS帐户。
这可能是为了只授予访问权限——创建"AWS服务角色",而不是"跨帐户访问角色"?
您可以允许使用特定的策略。在这个例子中,我只允许EMR集群使用角色:
{ "Effect": "Allow", "Action": [ "iam:AttachRolePolicy" ], "Resource": "*" }, { "Effect": "Deny", "Action": [ "iam:AttachRolePolicy" ], "NotResource": [ "arn:aws:iam::*:role/EMR_DefaultRole", "arn:aws:iam::*:role/EMR_EC2_DefaultRole" ] }, { "Effect": "Deny", "Action": [ "iam:AttachRolePolicy" ], "Resource": [ "*" ], "Condition": { "ArnNotEquals": { "iam:PolicyArn": [ "arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceRole", "arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceforEC2Role" ] } } } ] }