我希望将AWS账户的使用限制在一个地区,但仍然允许全球服务,特别是Cloudfront(需要在弗吉尼亚州的ACM)。
以下简单陈述不足以达到我的目的:
{
"Sid": "DisableRegions",
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:RequestedRegion": [
"eu-central-1"
]
}
}
}
有没有人正在使用IAM策略的工作版本呢?还请考虑S3,桶也应该只在这个区域提供!
我的解决方案现在允许管理员访问法兰克福,并启用所有全球服对于S3,我只允许全局只读访问。在北弗吉尼亚州也必须允许ACM在Cloudfront中启用SSL。随时欢迎反馈!
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AdministratorAccessForRegionFrankfurt",
"Effect": "Allow",
"Action": "*",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestedRegion": [
"eu-central-1"
]
}
}
},
{
"Sid": "AllowGlobalServices",
"Effect": "Allow",
"Action": [
"aws-portal:*",
"awsbillingconsole:*",
"iam:*",
"sts:*",
"health:*",
"support:*",
"budgets:*",
"cloudfront:*",
"organizations:*",
"trustedadvisor:*",
"shield:*",
"waf:*",
"waf-regional:*",
"route53:*",
"route53domains:*",
"tag:*",
"resource-groups:*",
"s3:Get*",
"s3:List*",
"s3:Head*",
"glacier:List*",
"glacier:Describe*",
"glacier:Get*"
],
"Resource": "*"
},
{
"Sid": "AllowACMInUSEastAsWell",
"Effect": "Allow",
"Action": "acm:*",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestedRegion": [
"us-east-1"
]
}
}
}
]
}