我有两个AWS帐户(Account A & B)。我想允许Account B的几个IAM用户通过AWS IAM角色访问Account A的资源。
我已经创建了角色,并且可以正常工作。但是,我看到任何掌握角色名称的IAM用户都能够切换角色并访问资源。
是否有一种方法可以允许帐户B的特定用户能够切换到角色?
信任政策声明如下 -
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::Account-B:root"
},
"Action": "sts:AssumeRole"
}
]
}
您可以添加应限制在组中担任角色的用户。然后,您可以以明确的拒绝将IAM策略附加到IAM组。
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Deny",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::Account_A_ID:role/Rolename"
}
}
http://docs.aws.amazon.com/iam/latest/userguide/tutorial_cross-account-with-roles.html#tutorial_cross-ccross-account-with-with-with-pount-with-tml#tutorial_cross-ccross-account-with-with-with-roles-2