简体繁体 English

对于 AWS CDK，我如何确定合适的 IAM 策略和权限来替换根账户？

[英]For the AWS CDK, how can I determine the appropriate IAM policy and permissions to replace a root account?

原文 2023-01-10 01:45:53 9 1 aws-sdk/ amazon-iam/ aws-iam-policy

I am setting up aws CDK for a new stack on aws, and the docs say essentially "use the root account to start up, but then set up a policy for a new account":我正在为 aws 上的新堆栈设置 aws CDK，文档基本上说“使用 root 帐户启动，然后为新帐户设置策略”：

However, using their recommended assume/* policy almost immediately leads to errors when trying to cdk deploy.但是，在尝试 cdk 部署时，使用他们推荐的 assume/* 策略几乎会立即导致错误。 So what is a mechanism for determining a policy useful and applicable to setting up a full cloudformation stack deployment?那么，确定对设置完整的 cloudformation 堆栈部署有用和适用的策略的机制是什么？

For one example use case, when setting up continuous integration to deploy multiple stacks how can we avoid giving it the keys to the kingdom?对于一个示例用例，在设置持续集成以部署多个堆栈时，我们如何避免将王国的钥匙交给它？

1 个解决方案

Since I am part of the aws community builders community, I asked there as well.因为我是 aws 社区建设者社区的一员，所以我也在那里问过。 Suffice it to say that this is a known problem, and not a trivial one to solve.只要说这是一个已知问题，而不是一个需要解决的小问题就够了。 I will try to distill what I learned into an answer here in broad strokes:我将尝试将我学到的知识提炼成一个粗略的答案：

Set up permission boundaries.设置权限边界。 These can forbid an agent from creating new users and privilege escalation.这些可以禁止代理创建新用户和权限升级。 https://aws.amazon.com/blogs/devops/secure-cdk-deployments-with-iam-permission-boundaries/ https://aws.amazon.com/blogs/devops/secure-cdk-deployments-with-iam-permission-boundaries/
Walk your shots/walk your permissions.走你的镜头/走你的许可。 In other terms, give scant few permissions, then try to deploy, find where additional permissions are needed and add those, try to deploy again, rinse and repeat.换句话说，给予很少的权限，然后尝试部署，找到需要额外权限的地方并添加这些权限，尝试再次部署，冲洗并重复。 This is most applicable if you expect the services of a stack to rarely change.如果您希望堆栈的服务很少更改，这最适用。
Draft a permission policy of Allow all... ...then deny in particular .起草Allow all... ...then deny in particular的许可政策。 In other words, set a policy on the deploying agent that allows * access to all services... ...and then deny permission to create users, change other users, etc etc. Contained within this approach is: bootstrap, then customize https://docs.aws.amazon.com/cdk/v2/guide/bootstrapping.html#bootstrapping-customizing换句话说，在允许*访问所有服务的部署代理上设置策略... ...然后拒绝创建用户、更改其他用户等的权限。此方法包含： bootstrap, then customize https ://docs.aws.amazon.com/cdk/v2/guide/bootstrapping.html#bootstrapping-customizing
Consider a multi-account strategy, where you would add a new aws account for a different project.考虑一个多账户策略，您可以在其中为不同的项目添加一个新的 aws 账户。 Because AWS is usage based payment, they allow for multi-accounting in this way where other services might have policies against multiple accounts.因为 AWS 是基于使用的支付方式，所以它们允许以这种方式进行多账户，而其他服务可能有针对多个账户的策略。 Control tower can help with this.控制塔可以帮助解决这个问题。