stackoom
  简体   繁体   中英

IAM user policy that can only triggered by a AWS service (Condition)

 原文  2022-05-19 00:14:40       amazon-web-services/ amazon-iam

Question

I was wondering if it was possible to have a IAM user that can have a policy that can only be triggered by a certain AWS service.

I know it is possible to restrict the policy to be triggered by a certain IP with the following:

"Condition": { "IpAddress": {"aws:SourceIp": "123.45.167.89"} }

Is there a condition for an aws service? (eg sts.amazonaws.com)

Thanks

1 answers

solution1
 2  2022-05-19 00:21:24

Here is an example for policy that allows to write CloudWatch logs to OpenSearch ( es.amazonaws.com ) service: 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "es.amazonaws.com"
      },
      "Action": [
        "logs:PutLogEvents",
        "logs:PutLogEventsBatch",
        "logs:CreateLogStream"
      ],
      "Resource": "cw_log_group_arn:*"
    }
  ]
}

As you can see it is possible to set Principal to grant access for specific resource:

"Principal": {"Service": "es.amazonaws.com"}

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question AWS::IAM::Policy for any user How can i create an iam policy for a service on a different aws account? Can't find AWS Lightsail permissions policy for my IAM user AWS IAM Policy: Tag only untagged resources AWS IAM user role or policy self contained AWS: IAM Policy to Add User To specific Group Can I automate user creation in AWS IAM service? How can i write single condition for multiple statements in AWS IAM policy? AWS IAM Policy to allow full access to services, but only on the instances this user created AWS Amazon IAM user Policy to access ONLY one EC2 instance on EU-WEST-1 region
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM