本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# 将代理混淆添加到您的 Terraform 预配置引擎中
## 端点上的代理混淆上下文密钥用于限制 `lambda:Invoke` 操作的访问权限
Amazon Service Catalog由提供的引擎创建的参数解析器 Lambda 函数具有仅向服务主体授予`lambda:Invoke`跨账户权限的访问策略: Amazon Service Catalog
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "servicecatalog.amazonaws.com"
},
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:us-east-1:{{111122223333}}:function:ServiceCatalogTerraformOSParameterParser"
}
]
}
```
------
这应该是与的集成正常运行所必 Amazon Service Catalog 需的唯一权限。但是,您可以使用 `aws:SourceAccount` [代理混淆](https://docs.amazonaws.cn/IAM/latest/UserGuide/confused-deputy)上下文密钥进一步对其限制。向这些队列 Amazon Service Catalog 发送消息时,使用配置账户的 ID Amazon Service Catalog 填充密钥。当您打算通过产品组合共享分发产品并希望确保只有特定账户使用您的引擎时,这一点很实用。
例如,您可以使用如下所示的条件将您的引擎限制为仅允许源自 000000000000 和 111111111111 的请求:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "servicecatalog.amazonaws.com"
},
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:us-east-1:{{111122223333}}:function:ServiceCatalogTerraformOSParameterParser",
"Condition": {
"StringLike": {
"aws:SourceAccount": [
"000000000000",
"111111111111"
]
}
}
}
]
}
```
------
## 端点上的代理混淆上下文密钥用于限制 `sqs:SendMessage` 操作的访问权限
由 Amazon Service Catalog提供的引擎创建的配置操作引入 Amazon SQS 队列的访问策略仅向服务主体授予跨账户`sqs:SendMessage`(和关联的 KMS)权限: Amazon Service Catalog
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "Enable AWS Service Catalog to send messages to the queue",
"Effect": "Allow",
"Principal": {
"Service": "servicecatalog.amazonaws.com"
},
"Action": "sqs:SendMessage",
"Resource": [
"arn:aws:sqs:us-east-1:{{111122223333}}:ServiceCatalogTerraformOSProvisionOperationQueue"
]
},
{
"Sid": "Enable AWS Service Catalog encryption/decryption permissions when sending message to queue",
"Effect": "Allow",
"Principal": {
"Service": "servicecatalog.amazonaws.com"
},
"Action": [
"kms:DescribeKey",
"kms:Decrypt",
"kms:ReEncryptFrom",
"kms:ReEncryptTo",
"kms:GenerateDataKey"
],
"Resource": "arn:aws:kms:us-east-1:{{111122223333}}:key/key_id"
}
]
}
```
------
这应该是与的集成正常运行所必 Amazon Service Catalog 需的唯一权限。但是,您可以使用 `aws:SourceAccount` [代理混淆](https://docs.amazonaws.cn/IAM/latest/UserGuide/confused-deputy)上下文密钥进一步对其限制。向这些队列 Amazon Service Catalog 发送消息时,使用配置账户的 ID Amazon Service Catalog 填充密钥。当您打算通过产品组合共享分发产品并希望确保只有特定账户使用您的引擎时,这一点很实用。
例如,您可以使用如下所示的条件将您的引擎限制为仅允许源自 000000000000 和 111111111111 的请求:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "Enable AWS Service Catalog to send messages to the queue",
"Effect": "Allow",
"Principal": {
"Service": "servicecatalog.amazonaws.com"
},
"Action": "sqs:SendMessage",
"Resource": [
"arn:aws:sqs:us-east-1:{{111122223333}}:ServiceCatalogTerraformOSProvisionOperationQueue"
],
"Condition": {
"StringLike": {
"aws:SourceAccount": [
"000000000000",
"111111111111"
]
}
}
},
{
"Sid": "Enable AWS Service Catalog encryption/decryption permissions when sending message to queue",
"Effect": "Allow",
"Principal": {
"Service": "servicecatalog.amazonaws.com"
},
"Action": [
"kms:DescribeKey",
"kms:Decrypt",
"kms:ReEncryptFrom",
"kms:ReEncryptTo",
"kms:GenerateDataKey"
],
"Resource": "arn:aws:kms:us-east-1:{{111122223333}}:key/key_id"
}
]
}
```
------