AWS Secrets Manager资源策略以拒绝除一个角色以外的所有角色

编程问答 2022-07-23

问题描述

我在Secrets Manager中有一个秘密,并且系统中有多个IAM角色。我只希望只有一个角色可以访问该秘密信息。不幸的是,还有其他一些具有完全Secrets Manager特权的IAM角色。因此,我想将对秘密的访问权限限制为除我所希望的其他角色以外的所有其他角色。

角色

  1. IAM_role_that_need_to_access_the_secret。
  2. IAM_role_1_that_should_not_access_the_secret。
  3. IAM_role_2_that_should_not_access_the_secret。

以下内容有效。

    {
  "Version": "2012-10-17","Statement": [
    {
      "Effect": "Deny","Action": "secretsmanager:GetSecretValue","Principal": {
        "AWS": "arn:aws:iam::IAM_role_1_that_should_not_access_the_secret","AWS": "arn:aws:iam::IAM_role_2_that_should_not_access_the_secret"
      },"Resource": "*"
    },{
      "Effect": "Allow","Principal": {
        "AWS": "arn:aws:iam::IAM_role_that_need_to_access_the_secret"
      },"Resource": "*","Condition": {
        "ForAnyValue:StringEquals": {
          "secretsmanager:VersionStage": "AWSCURRENT"
        }
      }
    }
  ]
}

但是我想拒绝访问所有角色,而不必在“拒绝权限”部分中明确提及每个角色。像下面这样。但是它将限于所有角色,包括所需的角色。

    {
  "Version": "2012-10-17","Principal": {"AWS": "*"},"Condition": {
        "ForAnyValue:StringEquals": {
          "secretsmanager:VersionStage": "AWSCURRENT"
        }
      }
    }
  ]
}

解决方法

更新

我问过AWS支持,他们说:

这是一个已知问题,其中NotPrinicipal明确拒绝资源策略。

解决方法是使用"StringNotEquals":"aws:PrincipalArn"条件键。

上一个答案:

您可以使用NotPrincipal 

    {
      "Effect": "Deny","NotPrincipal": {
        "AWS": "arn:aws:iam::IAM_role_that_need_to_access_the_secret"
      },"Action": "secretsmanager:GetSecretValue","Resource": "*",...
,

您可以创建一个 KMS key,然后为 KMS 密钥创建一个策略,该策略仅授予您需要的角色访问权限。类似于以下内容:

{
    "Version": "2012-10-17","Id": "key-default-admin","Statement": [
        {
            "Sid": "Enable IAM User Permissions","Effect": "Allow","Principal": {
                "AWS": "arn:aws:iam::<AWS_ACCOUNT_ID>:root"
            },"Action": "kms:*","Resource": "*"
        },{
            "Sid": "Allow administration of the key","Principal": {
                "AWS": [
                    "arn:aws:iam::<AWS_ACCOUNT_ID>:role/<ROLE_NAME>","arn:aws:iam::<AWS_ACCOUNT_ID>:role/<ROLE_NAME>"
                ]
            },"Action": [
                "kms:Create*","kms:Describe*","kms:Enable*","kms:List*","kms:Put*","kms:Update*","kms:Revoke*","kms:Disable*","kms:Get*","kms:Delete*","kms:ScheduleKeyDeletion","kms:CancelKeyDeletion"
            ],{
            "Sid": "Allow use of the key","Principal": {
                "AWS": [
                    "arn:aws:iam::<AWS_ACCOUNT_ID>:role/AdminRole","Action": [
                "kms:DescribeKey","kms:Encrypt","kms:Decrypt","kms:ReEncrypt*","kms:GenerateDataKey","kms:GenerateDataKeyWithoutPlaintext"
            ],{
            "Sid": "Deny use of the key","Effect": "Deny","Condition": {
                "StringNotLike": {
                    "aws:PrincipalArn": [
                        "arn:aws:iam::<AWS_ACCOUNT_ID>:role/<ROLE_NAME>","arn:aws:iam::<AWS_ACCOUNT_ID>:role/<ROLE_NAME>"
                    ]
                }
            }
        }
    ]
}

amazon-iamamazon-web-servicesaws-access-policyaws-secrets-manager

相关问答

导入项目后报错问题
依赖报错 idea导入项目后依赖报错,解决方案:https://blog....
idea不能识别yaml文件
使用mybatis plus常见错误
错误1:代码生成器依赖和mybatis依赖冲突 启动项目时报错如下...
gradle常见问题与错误
错误1:gradle项目控制台输出为乱码 # 解决方案:https://bl...
Mybatis Plus传入参数0不起作用
错误还原:在查询的过程中,传入的workType为0时,该条件不起...
linux中make编译源码包失败
报错如下,gcc版本太低 ^ server.c:5346:31: 错误:‘struct...