拒绝除一个角色之外的所有角色的 AWS Secrets Manager 资源策略

【问题标题】:AWS Secrets Manager Resource Policy to Deny all roles Except one Role拒绝除一个角色之外的所有角色的 AWS Secrets Manager 资源策略
【发布时间】:2021-01-03 00:58:48
【问题描述】:

我在秘密管理器中有一个秘密,并且系统中有多个 IAM 角色。我只想要一个角色来访问这个秘密。不幸的是,还有一些其他 IAM 角色拥有完整的 Secrets Manager 权限。所以我想限制对所有其他角色的秘密访问,除了我想要的角色。

角色

  1. IAM_role_that_need_to_access_the_secret。
  2. IAM_role_1_that_should_not_access_the_secret。
  3. IAM_role_2_that_should_not_access_the_secret。

以下工作正常。

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "secretsmanager:GetSecretValue",
      "Principal": {
        "AWS": "arn:aws:iam::IAM_role_1_that_should_not_access_the_secret",
        "AWS": "arn:aws:iam::IAM_role_2_that_should_not_access_the_secret"
      },
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::IAM_role_that_need_to_access_the_secret"
      },
      "Action": "secretsmanager:GetSecretValue",
      "Resource": "*",
      "Condition": {
        "ForAnyValue:StringEquals": {
          "secretsmanager:VersionStage": "AWSCURRENT"
        }
      }
    }
  ]
}

但我想拒绝访问所有角色,而不在“拒绝权限”部分明确提及每个角色。像下面的东西。但它会限制到所有角色,包括所需的角色。

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "secretsmanager:GetSecretValue",
      "Principal": {"AWS": "*"},
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::IAM_role_that_need_to_access_the_secret"
      },
      "Action": "secretsmanager:GetSecretValue",
      "Resource": "*",
      "Condition": {
        "ForAnyValue:StringEquals": {
          "secretsmanager:VersionStage": "AWSCURRENT"
        }
      }
    }
  ]
}

【问题讨论】:

    标签: amazon-web-services amazon-iam aws-secrets-manager aws-access-policy


    【解决方案1】:

    更新:

    我询问了 AWS Support,他们说:

    这是一个已知问题,NotPrinicipal 通过显式拒绝使资源策略失败。

    解决方法是使用"StringNotEquals":"aws:PrincipalArn" 条件键。

    上一个答案:

    你可以使用NotPrincipal

        {
      "Effect": "Deny",
      "NotPrincipal": {
        "AWS": "arn:aws:iam::IAM_role_that_need_to_access_the_secret"
      },
      "Action": "secretsmanager:GetSecretValue",
      "Resource": "*",
      ...

    【讨论】:

    • 这不起作用。得到以下错误。调用 GetSecretValue 操作时发生错误 (AccessDeniedException):用户:arn:aws:iam::IAM_role_that_need_to_access_the_secret 无权执行:secretsmanager:GetSecretValue on resource:arn:aws:secretsmanager:eu-west-2:secret:secret-带有明确拒绝的名称
    • 糟糕,我同意!我对它进行了试验,但我不断收到一个错误,即我的 assumed-role(来自 IAM 角色)未获得授权......并明确拒绝。它似乎无法正确识别NotPrincipal。可能值得致电 AWS Support。另一种方法是创建另一个 AWS 账户,存储密钥并仅授予 Allow 对 IAM 角色的访问权限。无需使用 Deny,因为它在不同的帐户中。
    【解决方案2】:

    您可以创建一个KMS key,然后为 KMS 密钥创建一个策略,该策略仅授予您需要的角色访问权限。如下所示:

    {
    "Version": "2012-10-17",
    "Id": "key-default-admin",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<AWS_ACCOUNT_ID>:root"
            },
            "Action": "kms:*",
            "Resource": "*"
        },
        {
            "Sid": "Allow administration of the key",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::<AWS_ACCOUNT_ID>:role/<ROLE_NAME>",
                    "arn:aws:iam::<AWS_ACCOUNT_ID>:role/<ROLE_NAME>"
                ]
            },
            "Action": [
                "kms:Create*",
                "kms:Describe*",
                "kms:Enable*",
                "kms:List*",
                "kms:Put*",
                "kms:Update*",
                "kms:Revoke*",
                "kms:Disable*",
                "kms:Get*",
                "kms:Delete*",
                "kms:ScheduleKeyDeletion",
                "kms:CancelKeyDeletion"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Allow use of the key",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::<AWS_ACCOUNT_ID>:role/AdminRole",
                    "arn:aws:iam::<AWS_ACCOUNT_ID>:role/<ROLE_NAME>"
                ]
            },
            "Action": [
                "kms:DescribeKey",
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey",
                "kms:GenerateDataKeyWithoutPlaintext"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Deny use of the key",
            "Effect": "Deny",
            "Principal": {
                "AWS": "arn:aws:iam::<AWS_ACCOUNT_ID>:root"
            },
            "Action": "kms:*",
            "Resource": "*",
            "Condition": {
                "StringNotLike": {
                    "aws:PrincipalArn": [
                        "arn:aws:iam::<AWS_ACCOUNT_ID>:role/<ROLE_NAME>",
                        "arn:aws:iam::<AWS_ACCOUNT_ID>:role/<ROLE_NAME>"
                    ]
                }
            }
        }
    ]
}

    【讨论】:

      猜你喜欢
      • 2020-11-26
      • 2018-11-02
      • 2019-09-29
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 2021-09-26
      • 2018-10-03
      • 1970-01-01
      相关资源
      最近更新 更多
      热门标签
      Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode