向 Amazon Config 用户授予自定义权限 - Amazon Config
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 Amazon Web Services 服务入门

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

向 Amazon Config 用户授予自定义权限

Amazon Config 策略向使用 Amazon Config 的用户授予权限。如果您需要向用户授予不同权限,则可以附上Amazon Config针对 IAM 群组或用户的策略。您可以编辑策略,使之包括或排除特定权限。您还可以创建自己的自定义策略。策略是一些 JSON 文档,它们定义了允许用户执行的操作以及允许用户对哪些资源执行这些操作。

只读访问权限

以下示例演示了一个 Amazon 托管策略 AWSConfigUserAccess,该策略授予对 Amazon Config 的只读访问权。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "config:Get*", "config:Describe*", "config:Deliver*", "config:List*", "config:Select*", "tag:GetResources", "tag:GetTagKeys", "cloudtrail:DescribeTrails", "cloudtrail:GetTrailStatus", "cloudtrail:LookupEvents" ], "Resource": "*" } ] }

在这些策略语句中,Effect 元素指定是允许还是拒绝操作。Action 元素列出了允许用户执行的特定操作。Resource 元素列出允许用户对其执行这些操作的 Amazon 资源。对于控制对 Amazon Config 操作的访问的策略,Resource 元素始终设置为 *(一个表示“所有资源”的通配符)。

Action 元素中的值对应于服务支持的 API。操作前附加了 config: 以表示其指的是 Amazon Config 操作。您可以在 * 元素中使用 Action 通配符,如以下示例所示:

  • "Action": ["config:*ConfigurationRecorder"]

    这允许所有人Amazon Config以” 结尾的动作ConfigurationRecorder“(StartConfigurationRecorder,StopConfigurationRecorder)。

  • "Action": ["config:*"]

    这允许所有 Amazon Config 操作,但不允许其他 Amazon 服务的操作。

  • "Action": ["*"]

    这将允许所有 Amazon 操作。此权限适合授予充当您账户的 Amazon 管理员的用户。

只读策略不对用户授予执行 StartConfigurationRecorderStopConfigurationRecorderDeleteConfigurationRecorder 操作的权限。不允许使用此策略的用户启动配置记录器、停止配置记录器或删除配置记录器。有关以下内容的清单Amazon Config操作,请参阅Amazon ConfigAPI 参考.

完全访问权限

以下示例展示了一个授予对 Amazon Config 的完全访问权限的策略。它对用户授予执行所有 Amazon Config 操作的权限。它还允许用户管理 Amazon S3 存储桶中的文件以及管理 Amazon SNS 主题。

注意

此策略授予广泛权限。在授予完全访问权限之前,请考虑最开始只授予最低权限,然后根据需要授予其他权限。这样做比起一开始就授予过于宽松的权限而后再尝试收紧权限来说更为合适。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sns:AddPermission", "sns:CreateTopic", "sns:DeleteTopic", "sns:GetTopicAttributes", "sns:ListPlatformApplications", "sns:ListTopics", "sns:SetTopicAttributes" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:CreateBucket", "s3:GetBucketAcl", "s3:GetBucketLocation", "s3:GetBucketNotification", "s3:GetBucketPolicy", "s3:GetBucketRequestPayment", "s3:GetBucketVersioning", "s3:ListAllMyBuckets", "s3:ListBucket", "s3:ListBucketMultipartUploads", "s3:ListBucketVersions", "s3:PutBucketPolicy" ], "Resource": "arn:aws:s3:::*" }, { "Effect": "Allow", "Action": [ "iam:CreateRole", "iam:GetRole", "iam:GetRolePolicy", "iam:ListRolePolicies", "iam:ListRoles", "iam:PutRolePolicy", "iam:AttachRolePolicy", "iam:CreatePolicy", "iam:CreatePolicyVersion", "iam:DeletePolicyVersion", "iam:CreateServiceLinkedRole" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "*", "Condition": { "StringEquals": { "iam:PassedToService": [ "config.amazonaws.com", "ssm.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": [ "cloudtrail:DescribeTrails", "cloudtrail:GetTrailStatus", "cloudtrail:LookupEvents" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "config:*", "tag:Get*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ssm:DescribeDocument", "ssm:GetDocument", "ssm:DescribeAutomationExecutions", "ssm:GetAutomationExecution", "ssm:ListDocuments", "ssm:StartAutomationExecution" ], "Resource": "*" } ] }

控制对多账户多区域数据聚合执行操作的用户权限

您可以使用资源级权限来控制用户对多区域多区域数据聚合执行特定操作的能力。以下Amazon Config AggregatorAPI 支持资源级别权限:

例如,您可以通过创建两个聚合器来限制特定用户对资源数据的访问。AccessibleAggregatorInAccessibleAggregator并附加允许访问的 IAM 策略AccessibleAggregator但拒绝访问InAccessibleAggregator.

IAM 策略适用于 AccessibleAggregator

在此策略中,您允许访问支持的聚合器操作Amazon Config您指定的Amazon 资源名称 (ARN)。在本例中,Amazon ConfigARN 是arn:aws:config:ap-northeast-1:AccountID:config-aggregator/config-aggregator-mocpsqhs.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "ConfigAllow", "Effect": "Allow", "Action": [ "config:BatchGetAggregateResourceConfig", "config:DeleteConfigurationAggregator", "config:DescribeAggregateComplianceByConfigRules", "config:DescribeAggregateComplianceByConformancePacks", "config:DescribeConfigurationAggregatorSourcesStatus", "config:GetAggregateComplianceDetailsByConfigRule", "config:GetAggregateConfigRuleComplianceSummary", "config:GetAggregateConformancePackComplianceSummary", "config:GetAggregateDiscoveredResourceCounts", "config:GetAggregateResourceConfig", "config:ListAggregateDiscoveredResources", "config:PutConfigurationAggregator", "config:SelectAggregateResourceConfig" ], "Resource": "arn:aws:config:ap-northeast-1:AccountID:config-aggregator/config-aggregator-mocpsqhs" } ] }

IAM 策略适用于 InAccessibleAggregator

在此策略中,您拒绝访问支持的聚合器操作Amazon Config您指定的 ARN。在本例中,Amazon ConfigARN 是arn:aws:config:ap-northeast-1:AccountID:config-aggregator/config-aggregator-pokxzldx.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "ConfigDeny", "Effect": "Deny", "Action": [ "config:BatchGetAggregateResourceConfig", "config:DeleteConfigurationAggregator", "config:DescribeAggregateComplianceByConfigRules", "config:DescribeAggregateComplianceByConformancePacks", "config:DescribeConfigurationAggregatorSourcesStatus", "config:GetAggregateComplianceDetailsByConfigRule", "config:GetAggregateConfigRuleComplianceSummary", "config:GetAggregateConformancePackComplianceSummary", "config:GetAggregateDiscoveredResourceCounts", "config:GetAggregateResourceConfig", "config:ListAggregateDiscoveredResources", "config:PutConfigurationAggregator", "config:SelectAggregateResourceConfig" ], "Resource": "arn:aws:config:ap-northeast-1:AccountID:config-aggregator/config-aggregator-pokxzldx" } ] }

如果开发者群组的用户尝试在Amazon Config您指定的 ARN,该用户将收到拒绝访问异常。

检查用户访问权限

要显示您创建的聚合器,请运行以下命令Amazon CLI命令:

aws configservice describe-configuration-aggregators

命令成功完成后,您将能够看到与您的账户关联的所有聚合器的详细信息。在这个例子中,这些是AccessibleAggregatorInAccessibleAggregator

{ "ConfigurationAggregators": [ { "ConfigurationAggregatorArn": "arn:aws:config:ap-northeast-1:AccountID:config-aggregator/config-aggregator-mocpsqhs", "CreationTime": 1517942461.442, "ConfigurationAggregatorName": "AccessibleAggregator", "AccountAggregationSources": [ { "AllAwsRegions": true, "AccountIds": [ "AccountID1", "AccountID2", "AccountID3" ] } ], "LastUpdatedTime": 1517942461.455 }, { "ConfigurationAggregatorArn": "arn:aws:config:ap-northeast-1:AccountID:config-aggregator/config-aggregator-pokxzldx", "CreationTime": 1517942461.442, "ConfigurationAggregatorName": "InAccessibleAggregator", "AccountAggregationSources": [ { "AllAwsRegions": true, "AccountIds": [ "AccountID1", "AccountID2", "AccountID3" ] } ], "LastUpdatedTime": 1517942461.455 } ] }
注意

对于 account-aggregation-sources,输入要为其聚合数据的 Amazon 账户 ID 的逗号分隔的列表。用方括号将账户 ID 括起来,并确保对引号进行转义 (例如,"[{\"AccountIds\": [\"AccountID1\",\"AccountID2\",\"AccountID3\"],\"AllAwsRegions\": true}]")。

附加以下 IAM policy 以拒绝对的访问InAccessibleAggregator,或者要拒绝访问的聚合器。

{ "Version": "2012-10-17", "Statement": [ { "Sid": "ConfigDeny", "Effect": "Deny", "Action": [ "config:BatchGetAggregateResourceConfig", "config:DeleteConfigurationAggregator", "config:DescribeAggregateComplianceByConfigRules", "config:DescribeAggregateComplianceByConformancePacks", "config:DescribeConfigurationAggregatorSourcesStatus", "config:GetAggregateComplianceDetailsByConfigRule", "config:GetAggregateConfigRuleComplianceSummary", "config:GetAggregateConformancePackComplianceSummary", "config:GetAggregateDiscoveredResourceCounts", "config:GetAggregateResourceConfig", "config:ListAggregateDiscoveredResources", "config:PutConfigurationAggregator", "config:SelectAggregateResourceConfig" ], "Resource": "arn:aws:config:ap-northeast-1:AccountID:config-aggregator/config-aggregator-pokxzldx" } ] }

接下来,您可以确认 IAM 策略是否适用于限制对特定聚合器规则的访问:

aws configservice get-aggregate-compliance-details-by-config-rule --configuration-aggregator-name InAccessibleAggregator --config-rule-name rule name --account-id AccountID --aws-region AwsRegion

该命令应返回访问被拒绝的异常:

An error occurred (AccessDeniedException) when calling the GetAggregateComplianceDetailsByConfigRule operation: User: arn:aws:iam::AccountID:user/ is not authorized to perform: config:GetAggregateComplianceDetailsByConfigRule on resource: arn:aws:config:AwsRegion-1:AccountID:config-aggregator/config-aggregator-pokxzldx

附加信息

要了解有关创建 IAM 用户、组、策略和权限的更多信息,请参阅 IAM 用户指南中的创建您的第一个 IAM 用户和管理员组访问控制