堆栈内存溢出
  简体   繁体   English

逻辑或处于策略条件 AWS

[英]Logical or in policy condition AWS

 原文  2020-08-16 15:57:01       amazon-web-services/ amazon-iam/ scp

问题描述

I want to have a logical or between AWS policy which I then need to attach to SCP.我想要一个逻辑或 AWS 之间的策略,然后我需要将其附加到 SCP。 The motivation is to add a policy which applies in case one of 2 conditions are met.动机是添加一个在满足两个条件之一的情况下适用的策略。

{
        "sid": "OnlyT1T2Micro",
        "Effect": "Deny",
        "Action": ["ec2:RunInstances"],
        "Resource": ["arn:aws:ec2:us-east-1:accountid:instance/*"],
        "Condition": {
            "StringEquals": {
                "ec2:InstanceType": ["t1.micro","t2.micro"]
            },
            "StringEquals": {
                "ec2:Region": "us-east-1"
            }
        }
    }

In this case, I would like to deny Ec2 run instance API in case type is one of t1 or t2 micro or the region is us-east-1.在这种情况下,我想拒绝 Ec2 运行实例 API,如果类型是 t1 或 t2 micro 之一,或者区域是 us-east-1。 But in this snippet, it's a logical "and" between conditions which mean the policy would apply in case it's a (t1.micro or t2.micro) and (us-east-1 region), which I'm looking to add "or"但是在这个片段中,条件之间是一个逻辑“和”,这意味着如果它是(t1.micro 或 t2.micro)和(us-east-1 区域),我希望添加“或者”

In order to save the text in the SCP (due to limit), I was looking for shrinking together in 1 policy 2 conditions with "or", in case there is an option为了将文本保存在 SCP 中(由于限制),我正在寻找在 1 个策略 2 条件下与“或”一起收缩,以防有选项

Hope this example is clear希望这个例子很清楚

1 个解决方案

解决方案1
 1 已采纳  2020-08-16 16:03:47

An SCP can contain multiple policies, at the moment your single policy will require all conditions to be met (as well as the resource pattern) before it will deny.一个 SCP 可以包含多个策略,目前您的单个策略需要满足所有条件(以及资源模式)才能拒绝。

You should create a separate statement for each of these conditions whilst also removing the resource pattern if you're trying to deny access for those instance classes in other AWS regions.如果您尝试拒绝其他 AWS 区域中的这些实例类的访问,您应该为这些条件中的每一个创建单独的语句,同时删除资源模式。

Perhaps something like the below is more appropriate.也许像下面这样的东西更合适。

{
    "sid": "OnlyT1T2Micro",
    "Effect": "Deny",
    "Action": ["ec2:RunInstances"],
    "Resource": ["*"],
    "Condition": {
        "StringEquals": {
            "ec2:InstanceType": ["t1.micro","t2.micro"]
        }
    }
},
{
    "sid": "NotInUsEast1",
    "Effect": "Deny",
    "Action": ["ec2:RunInstances"],
    "Resource": ["*"],
    "Condition": {
        "StringEquals": {
            "ec2:Region": "us-east-1"
        }
    }
}

With this it will evaluate as if either the instance type is a t1.micro or t2.micro , or if the region is us-east-1 then deny the action.这样,它将评估实例类型是否为t1.microt2.micro ,或者如果区域为us-east-1则拒绝该操作。

The only OR condition is between each statement, if you're trying to reduce the size of your statements try to group up similar statements.唯一的OR条件是在每个语句之间,如果您试图减小语句的大小,请尝试将相似的语句分组。 For example disabling common actions in the same statement, or if you you want to deny a number of regions add them all to the same statement rather than one statement each.例如,禁用同一语句中的常见操作,或者如果您想拒绝多个区域,请将它们全部添加到同一语句中,而不是每个语句中。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 AWS云前端策略是否支持自定义条件? - Is custom condition supported in the AWS cloud front policy? “YAML”中的 AWS 策略条件运算符“NULL” - AWS policy condition operator 'NULL' in 'YAML' 带条件的 AWS S3 存储桶策略 - AWS S3 bucket policy with condition AWS S3 ACL策略条件 - AWS S3 ACL Policy Condition 标记资源的 AWS CDK 策略条件 - AWS CDK Policy condition for Tagged ressources AWS S3-策略条件失败-eq密钥 - AWS S3- Policy Condition Failed- eq key 只能由 AWS 服务触发的 IAM 用户策略(条件) - IAM user policy that can only triggered by a AWS service (Condition) AWS IAM 策略 - 如何检查多个标签作为 OR 条件 - AWS IAM policy - How to check for multiple Tags as OR condition AWS 资源策略中的条件不允许 lambda 访问 Secrets Manager Secret - Condition in AWS resource policy not allowing lambda to access Secrets Manager Secret 使用CloudFormation堆栈的名称在AWS策略中添加条件 - Adding a condition in an AWS policy using the name of the CloudFormation stacks
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM