本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
将代理混淆添加到您的 Terraform 预置引擎中
端点上的代理混淆上下文密钥用于限制 lambda:Invoke 操作的访问权限
由 Amazon Service Catalog 提供的引擎创建的参数解析器 Lambda 函数具有仅向 Amazon Service Catalog 服务主体授予跨账户 lambda:Invoke 权限的访问策略:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "servicecatalog.amazonaws.com" }, "Action": "lambda:InvokeFunction", "Resource": "arn:aws:lambda:us-east-1:account_id:function:ServiceCatalogTerraformOSParameterParser" } ] }
这应该是 Amazon Service Catalog 的集成正常运行所需的唯一权限。但是,您可以使用 aws:SourceAccount 代理混淆上下文密钥进一步对其限制。Amazon Service Catalog 向这些队列发送消息时,Amazon Service Catalog 会使用预配置账户的 ID 填充密钥。当您打算通过产品组合共享分发产品并希望确保只有特定账户使用您的引擎时,这一点很实用。
例如,您可以使用如下所示的条件将您的引擎限制为仅允许源自 000000000000 和 111111111111 的请求:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "servicecatalog.amazonaws.com" }, "Action": "lambda:InvokeFunction", "Resource": "arn:aws:lambda:us-east-1:account_id:function:ServiceCatalogTerraformOSParameterParser", "Condition": { "StringLike": { "aws:SourceAccount": ["000000000000", "111111111111"] } } } ] }
端点上的代理混淆上下文密钥用于限制 sqs:SendMessage 操作的访问权限
由 Amazon Service Catalog 提供的引擎创建的预配置操作引入 Amazon SQS 队列的访问策略为仅向 Amazon Service Catalog 服务主体授予跨账户 sqs:SendMessage(和关联的 KMS)权限:
{ "Version": "2008-10-17", "Statement": [ { "Sid": "Enable AWS Service Catalog to send messages to the queue", "Effect": "Allow", "Principal": { "Service": "servicecatalog.amazonaws.com" }, "Action": "sqs:SendMessage", "Resource": [ "arn:aws:sqs:us-east-1:account_id:ServiceCatalogTerraformOSProvisionOperationQueue" ] }, { "Sid": "Enable AWS Service Catalog encryption/decryption permissions when sending message to queue", "Effect": "Allow", "Principal": { "Service": "servicecatalog.amazonaws.com" }, "Action": [ "kms:DescribeKey", "kms:Decrypt", "kms:ReEncrypt", "kms:GenerateDataKey" ], "Resource": "arn:aws:kms:us-east-1:account_id:key/key_id" } ] }
这应该是 Amazon Service Catalog 的集成正常运行所需的唯一权限。但是,您可以使用 aws:SourceAccount 代理混淆上下文密钥进一步对其限制。Amazon Service Catalog 向这些队列发送消息时,Amazon Service Catalog 会使用预配置账户的 ID 填充密钥。当您打算通过产品组合共享分发产品并希望确保只有特定账户使用您的引擎时,这一点很实用。
例如,您可以使用如下所示的条件将您的引擎限制为仅允许源自 000000000000 和 111111111111 的请求:
{ "Version": "2008-10-17", "Statement": [ { "Sid": "Enable AWS Service Catalog to send messages to the queue", "Effect": "Allow", "Principal": { "Service": "servicecatalog.amazonaws.com" }, "Action": "sqs:SendMessage", "Resource": [ "arn:aws:sqs:us-east-1:account_id:ServiceCatalogTerraformOSProvisionOperationQueue" ], "Condition": { "StringLike": { "aws:SourceAccount": ["000000000000", "111111111111"] } } }, { "Sid": "Enable AWS Service Catalog encryption/decryption permissions when sending message to queue", "Effect": "Allow", "Principal": { "Service": "servicecatalog.amazonaws.com" }, "Action": [ "kms:DescribeKey", "kms:Decrypt", "kms:ReEncrypt", "kms:GenerateDataKey" ], "Resource": "arn:aws:kms:us-east-1:account_id:key/key_id" } ] }