- Mais recentes
- Mais votos
- Mais comentários
Hi,
I am not actually 100% sure why these IAM policies have different names (AWSExposedCredentialPolicy_DO_NOT_REMOVE and AWSCompromisedKeyQuarantineV2), but looking at the contents of both it is safe to say that V2 has a lot more deny permissions under it.
Contents of the AWSExposedCredentialPolicy_DO_NOT_REMOVE can be found here: https://gist.github.com/0xdabbad00/b1ff2b09a1d04a401fa65ace48bd41e3
AWSCompromisedKeyQuarantineV2 has the following permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"ec2:RequestSpotInstances",
"ec2:RunInstances",
"ec2:StartInstances",
"iam:AddUserToGroup",
"iam:AttachGroupPolicy",
"iam:AttachRolePolicy",
"iam:AttachUserPolicy",
"iam:ChangePassword",
"iam:CreateAccessKey",
"iam:CreateInstanceProfile",
"iam:CreateLoginProfile",
"iam:CreatePolicyVersion",
"iam:CreateRole",
"iam:CreateUser",
"iam:DetachUserPolicy",
"iam:PassRole",
"iam:PutGroupPolicy",
"iam:PutRolePolicy",
"iam:PutUserPermissionsBoundary",
"iam:PutUserPolicy",
"iam:SetDefaultPolicyVersion",
"iam:UpdateAccessKey",
"iam:UpdateAccountPasswordPolicy",
"iam:UpdateAssumeRolePolicy",
"iam:UpdateLoginProfile",
"iam:UpdateUser",
"lambda:AddLayerVersionPermission",
"lambda:AddPermission",
"lambda:CreateFunction",
"lambda:GetPolicy",
"lambda:ListTags",
"lambda:PutProvisionedConcurrencyConfig",
"lambda:TagResource",
"lambda:UntagResource",
"lambda:UpdateFunctionCode",
"lightsail:Create*",
"lightsail:Delete*",
"lightsail:DownloadDefaultKeyPair",
"lightsail:GetInstanceAccessDetails",
"lightsail:Start*",
"lightsail:Update*",
"organizations:CreateAccount",
"organizations:CreateOrganization",
"organizations:InviteAccountToOrganization",
"s3:DeleteBucket",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:PutLifecycleConfiguration",
"s3:PutBucketAcl",
"s3:PutBucketOwnershipControls",
"s3:DeleteBucketPolicy",
"s3:ObjectOwnerOverrideToBucketOwner",
"s3:PutAccountPublicAccessBlock",
"s3:PutBucketPolicy",
"s3:ListAllMyBuckets"
],
"Resource": [
"*"
]
}
]
}
This leads me to think V2 is just that, perhaps just an updated version? The AWS blogs, documentation and articles are not 100% accurate, there are always bugs, false statements, or incomplete sentences I have found and reported over the years.
BTW, there is also a managed policy under the name "AWSCompromisedKeyQuarantine" (without the V2, which looks very similar to the contents of the AWSExposedCredentialPolicy_DO_NOT_REMOVE policy you mentioned).
Hope this helps.
Conteúdo relevante
- AWS OFICIALAtualizada há 2 anos
- AWS OFICIALAtualizada há 3 meses