有没有办法在 AWS IAM 中创建策略 (SCP),以防止创建使用空格作为值的标签?

问题描述 投票:0回答:1

我试图阻止在以下标签“所有者”上使用空格作为值来创建标签

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Statement1",
      "Effect": "Deny",
      "Action": [
        "cloudformation:CreateStack"
      ],
      "Resource": [
        "*"
      ],
      "Condition": {
        "ForAllValues:StringNotEquals": {
          "aws:TagKeys": [
            "owner",
            "Owner"
          ]
        },
        "ForAllValues:StringEquals": {
          "aws:RequestTag/Owner": "* *"
        }
      }
    }
  ]
}

这仍然允许我创建以空格为值的标签。 对于这种情况,我使用的条件是否正确?感谢您的任何建议!

json amazon-web-services amazon-iam policy
1个回答
0
投票

如果您需要拒绝一项操作

"cloudformation:CreateStack"
您可以这样做:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyTagOwnerWithWhitespace",
      "Effect": "Deny",
      "Action": [
        "cloudformation:CreateStack"
      ],
      "Resource": "*",
      "Condition": {
        "StringLike": {
          "aws:RequestTag/owner": [
            " *",  // Leading whitespace
            "* ",  // Trailing whitespace
            "*\t*", // Tab
            "*\n*", // Newline
            "*\r*", // Carriage return
            "*\f*"  // Form feed
          ]
        }
      }
    }
  ]
}

但我相信你的用例更适合标记策略,像这样来自here

{
    "tags": {
        "costcenter": {
            "tag_key": {
                "@@assign": "CostCenter"
            },
            "tag_value": {
                "@@assign": [
                    "100",
                    "200"
                ]
            },
            "enforced_for": {
                "@@assign": [
                    "secretsmanager:*"
                ]
            }
        }
    }
}

请记住,您可以强制执行 

Tag key capitalization compliance
、标签 
value compliance
Prevent noncompliant operations for this tag
,有关其中每一项的更多说明,请检查 this

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.