我们一直在修改团队其他成员的 IAM 政策。仅当 MFA 在其会话中处于活动状态时,才应允许他们执行大部分操作。即使他们有 MFA 会话,他们也无法访问任何 S3 存储桶,也无法启动 SSM 会话。如果我将操作添加到 DenyAllExceptListedIfNoMFA,它们当然会起作用。但我不明白为什么他们在使用 MFA 会话时被明确拒绝。 有人可以指出我的错吗?这是唯一适用的政策。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAdmin",
"Effect": "Allow",
"NotAction": [
"iam:CreatePolicy",
"iam:AttachUserPolicy",
"iam:AttachRolePolicy",
"iam:AttachGroupPolicy",
"iam:DeletePolicy",
"iam:DeleteGroupPolicy",
"iam:DeleteAccountPasswordPolicy",
"iam:DeletePolicyVersion",
"iam:DeleteRolePolicy",
"iam:DeleteUserPolicy",
"iam:DetachGroupPolicy",
"iam:DetachRolePolicy",
"iam:DetachUserPolicy",
"iam:PutGroupPolicy",
"iam:PutRolePolicy",
"iam:PutUserPolicy",
"iam:SetDefaultPolicyVersion",
"iam:UpdateAssumeRolePolicy",
"iam:CreatePolicyVersion",
"iam:UpdateUser",
"iam:DeleteUser",
"iam:CreateUser",
"iam:RemoveUserFromGroup",
"iam:AddUserToGroup",
"iam:ListUserPolicies",
"iam:ListAttachedGroupPolicies",
"iam:ListAttachedRolePolicies",
"iam:ListAttachedUserPolicies",
"iam:ListGroupPolicies",
"iam:ListPolicies",
"iam:ListRolePolicies",
"account:GetAccountInformation",
"account:GetPrimaryEmail",
"account:GetRegionOptStatus",
"account:AcceptPrimaryEmailUpdate",
"account:EnableRegion",
"account:DisableRegion",
"account:PutAlternateContact",
"account:PutChallengeQuestions",
"account:DeleteAlternateContact",
"account:StartPrimaryEmailUpdate",
"account:CloseAccount",
"account:PutContactInformation"
],
"Resource": "*"
},
{
"Sid": "AllowViewAccountInfo",
"Effect": "Allow",
"Action": [
"iam:GetAccountPasswordPolicy",
"iam:ListVirtualMFADevices"
],
"Resource": "*"
},
{
"Sid": "AllowManageOwnPasswords",
"Effect": "Allow",
"Action": [
"iam:ChangePassword",
"iam:GetUser"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnAccessKeys",
"Effect": "Allow",
"Action": [
"iam:CreateAccessKey",
"iam:DeleteAccessKey",
"iam:ListAccessKeys",
"iam:UpdateAccessKey",
"iam:GetAccessKeyLastUsed"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnSigningCertificates",
"Effect": "Allow",
"Action": [
"iam:DeleteSigningCertificate",
"iam:ListSigningCertificates",
"iam:UpdateSigningCertificate",
"iam:UploadSigningCertificate"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnSSHPublicKeys",
"Effect": "Allow",
"Action": [
"iam:DeleteSSHPublicKey",
"iam:GetSSHPublicKey",
"iam:ListSSHPublicKeys",
"iam:UpdateSSHPublicKey",
"iam:UploadSSHPublicKey"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnGitCredentials",
"Effect": "Allow",
"Action": [
"iam:CreateServiceSpecificCredential",
"iam:DeleteServiceSpecificCredential",
"iam:ListServiceSpecificCredentials",
"iam:ResetServiceSpecificCredential",
"iam:UpdateServiceSpecificCredential"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnVirtualMFADevice",
"Effect": "Allow",
"Action": [
"iam:CreateVirtualMFADevice"
],
"Resource": "arn:aws:iam::*:mfa/*"
},
{
"Sid": "AllowManageOwnUserMFA",
"Effect": "Allow",
"Action": [
"iam:DeactivateMFADevice",
"iam:EnableMFADevice",
"iam:ListMFADevices",
"iam:ResyncMFADevice"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "DenyAllExceptListedIfNoMFA",
"Effect": "Deny",
"NotAction": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:GetUser",
"iam:GetMFADevice",
"iam:ListMFADevices",
"iam:ListVirtualMFADevices",
"iam:ResyncMFADevice",
"sts:GetSessionToken",
],
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
]
}
如果我正确理解你的问题,问题可能是没有明确的Allow语句,这导致默认情况下访问被拒绝。在您的政策中,我没有看到任何允许
s3:...sts:...尝试添加一条新语句,明确允许您执行所需的操作。
如果您需要进一步帮助,请随时发表评论:)