2 Risposte
- Più recenti
- Maggior numero di voti
- Maggior numero di commenti
1
Recommended not to use 'UserAgent'.
This key should be used carefully. Since the aws:UserAgent value is provided by the caller in an HTTP header,
unauthorized parties can use modified or custom browsers to provide any aws:UserAgent value that they
choose. As a result, aws:UserAgent should not be used to prevent unauthorized parties from making
direct AWS requests. You can use it to allow only specific client applications, and only after
testing your policy.
I don't know of a way to restrict API calls to CloudShell environments.
0
You can find examples of IAM policies for CloudShell in this article Here is some basic example:
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "CloudShellUser",
"Effect": "Allow",
"Action": [
"cloudshell:*"
],
"Resource": "*"
}]
}
con risposta 9 mesi fa
Sorry that's not my question. I know how to allow Cloudshell, the question is how to make IAM policies that only allow API usage FROM Cloudshell. For example, allow RDS API only from Cloudshell, not "on prem" shell and scripts.
Contenuto pertinente
- AWS UFFICIALEAggiornata 2 anni fa
- AWS UFFICIALEAggiornata 2 anni fa
Ok thanks so userAgent can be spoofed easily.