I was wondering if it was possible to have a IAM user that can have a policy that can only be triggered by a certain AWS service.
I know it is possible to restrict the policy to be triggered by a certain IP with the following:
"Condition": { "IpAddress": {"aws:SourceIp": "123.45.167.89"} }
Is there a condition for an aws service? (eg sts.amazonaws.com)
Thanks
Here is an example for policy that allows to write CloudWatch
logs to OpenSearch
( es.amazonaws.com
) service:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "es.amazonaws.com"
},
"Action": [
"logs:PutLogEvents",
"logs:PutLogEventsBatch",
"logs:CreateLogStream"
],
"Resource": "cw_log_group_arn:*"
}
]
}
As you can see it is possible to set Principal
to grant access for specific resource:
"Principal": {"Service": "es.amazonaws.com"}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.