2 réponses
- Le plus récent
- Le plus de votes
- La plupart des commentaires
1
Recommended not to use 'UserAgent'.
This key should be used carefully. Since the aws:UserAgent value is provided by the caller in an HTTP header,
unauthorized parties can use modified or custom browsers to provide any aws:UserAgent value that they
choose. As a result, aws:UserAgent should not be used to prevent unauthorized parties from making
direct AWS requests. You can use it to allow only specific client applications, and only after
testing your policy.
I don't know of a way to restrict API calls to CloudShell environments.
0
You can find examples of IAM policies for CloudShell in this article Here is some basic example:
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "CloudShellUser",
"Effect": "Allow",
"Action": [
"cloudshell:*"
],
"Resource": "*"
}]
}
répondu il y a 9 mois
Sorry that's not my question. I know how to allow Cloudshell, the question is how to make IAM policies that only allow API usage FROM Cloudshell. For example, allow RDS API only from Cloudshell, not "on prem" shell and scripts.
Contenus pertinents
- demandé il y a 6 mois
- demandé il y a un an
AWS OFFICIELA mis à jour il y a un an- AWS OFFICIELA mis à jour il y a 2 ans
Ok thanks so userAgent can be spoofed easily.