[英]AWS Admin Role Policy
I created a User in AWS Account and attached my user Admin access And I created another user with the same Admin access, But i don't want that user to delete my user.我在 AWS 帐户中创建了一个用户并附加了我的用户管理员访问权限我创建了另一个具有相同管理员访问权限的用户,但我不希望该用户删除我的用户。 Any Solutions
任何解决方案
I want to know how to do it我想知道怎么做
With IAM policies an explicit deny takes precedence over an allow statement.对于 IAM 策略,显式拒绝优先于允许语句。 This means you can add a single deny statement for a specific resource but still access other resources.
这意味着您可以为特定资源添加单个拒绝语句,但仍然可以访问其他资源。 You should be able to use this mechanic with IAM User permissions ( but you should create a test user to validate this works as expected!!! )
您应该能够在具有 IAM 用户权限的情况下使用此机制(但您应该创建一个测试用户来验证它是否按预期工作!!! )
Create a new policy with below contents and add to the user you want to limit access to delete your user创建一个包含以下内容的新策略并添加到您要限制访问的用户以删除您的用户
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": ["iam:DeleteUser"],
"Resource": "arn:aws:iam::000000000000:user/blah"
}
]
}
(change 000000000000
to your aws account number and blah
to the user you wish to prevent being deleted). (将
000000000000
更改为您的 aws 帐号,并将blah
更改为您希望防止被删除的用户)。
Depending on your needs there are a bunch of other IAM permissions you might want to deny against this user such as RemoveUserFromGroup
(if you use groups).根据您的需要,您可能想要拒绝针对此用户的许多其他 IAM 权限,例如
RemoveUserFromGroup
(如果您使用组)。 (The easiest way of seeing these is in the IAM Console - create a policy and use the Visual Editor. Select IAM
as service, and look at the permissions available under the Write
access section). (查看这些内容的最简单方法是在 IAM 控制台中 - 创建策略并使用可视化编辑器。Select
IAM
作为服务,并查看Write
访问部分下可用的权限)。
NOTE: if your using the Create Policy Visual Editor you can switch between the JSON view and graphical view to see the actual policy.注意:如果您使用创建策略可视化编辑器,您可以在 JSON 视图和图形视图之间切换以查看实际策略。 If you edit the JSON view the Visual Editor view will be updated and vice-versa.
如果您编辑 JSON 视图,Visual Editor 视图将更新,反之亦然。 There should be no errors or warnings reported by the Visual Editor when you complete your policy
完成策略后,可视化编辑器不应报告任何错误或警告
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.