ResourceTag VS PrincipalTag

除了常见的AWS资源外,AWS的用户和Role上面都是可以打Tag的:

image-20230815211712895

在policy的condition字段中,经常能看到ResourceTagPrincipalTag关键字,它们的区别如下:

  • aws:PrincipalTag: 对象是用户或role
  • ResourceTag:对象是AWS资源,如EC2

这两个关键字看介绍比较模糊,举个例子比较明晰:

image-20230815211346871

上面的policy定义,只有具有Department = Data标签的用户或角色,才能访问Project = DataAnalytics的EC2实例

实现ABAC – Attribute-Based Access Control

使用PrincipalTag,可以实现Attribute-Based Access Control

假设每个用户都具有CostCenter标签,它们只能访问匹配标签的EC2,例如CostCenter=B的用户只能访问CostCenter=B标签的EC2

image-20230815221507602

结合PrincipalTagResourceTag可以简化策略的管理:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:StartInstances",
                "ec2:StopInstances"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "ec2:ResourceTag/CostCenter": "${aws:PrincipalTag/CostCenter}"
                }
            }
        }
    ]
}

这样未来即使有新的标签增加,我们也不用再更改这条policy。

所以Attribute-Based Access Control相比于Role-Based Access Control (RBAC),优势在于它可以自动匹配,当新的资源被创建时,不用再更新policy。