权限管理

在本节我们分别在Role的trust relationship及Role Anywhere的Session Policy中实现权限控制

在trust relationship中控制权限

进入之前创建的Role:

image-20231205083821560

编辑Trust relationship:

image-20231205084031312

加一条condition限制,当aws:PrincipalTag/x509Subject/CN = workload-a.iamra.test时,才允许被assume:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "",
			"Effect": "Allow",
			"Principal": {
				"Service": "rolesanywhere.amazonaws.com"
			},
			"Action": [
				"sts:AssumeRole",
				"sts:SetSourceIdentity",
				"sts:TagSession"
			],
            "Condition": {
                "StringEquals": {
                    "aws:PrincipalTag/x509Subject/CN": [
                        "workload-a.iamra.test"
                    ]
                }
            }
		}
	]
}

保存后,分别执行访问S3的命令,此时workload-b已被限制访问,只有workload-a才有权限Assume Role:

image-20231205085402832

使用Session Policy进行权限控制

进入Roles Anywhere页面:

image-20231205085459607

编辑之前创建的Profile:

image-20231205085532544

原来的Session Policy允许所有操作:

image-20231205085601761

将其更新,只允许它访问SQS:

{
  "Version":"2012-10-17",
  "Statement":[
    {
      "Effect":"Allow",
      "Action":"sqs:*",
      "Resource":"*"
    }
  ]
}

保存后,在命令行执行访问S3的命令,由于上面的Session Policy限制,所以此时访问也会报错:

image-20231205085646743

测试完成后,将session policy重新恢复:

{
  "Version":"2012-10-17",
  "Statement":[
    {
      "Effect":"Allow",
      "Action":"*",
      "Resource":"*"
    }
  ]
}