Policy IAM user Appstream2.0

Is it possible to give access only to a certain image, stack, or fleet with IAM policies?

Do you have any examples?

I tried with a policy but it returns this error:

User: arn:aws:iam::xxxxxxxxx:user/xxxxxxxx is not authorized to perform: appstream:DescribeFleets on resource: arn:aws:appstream:eu-central-1:xxxxxxxxxxx:fleet/* because no boundary policy allows the appstream:DescribeFleets action

My need is: in an AWS account, an IAM user must only see some image/fleet/stack.

thanks

主题

安全、身份和合规性管理与治理最终用户计算

标签

AWS 身份和访问权限管理 AWS 管理控制台 AWS 命令行界面 Amazon AppStream IAM 策略

语言

English

AWS-User-6631477

已提问 2 年前709 查看次数

1 回答

最新
投票最多
评论最多

The AppStream 2.0 console doesn't currently support restricting what a user can see based on tags or other resource boundary. For example, the Stacks page calls the AppStream 2.0 API "DescribeStacks" without specifying any boundaries or tags. You can use tags to prevent a user from updating an AppStream 2.0 resource without specify a specific tag - for example, if a user/role should only be able to modify resources with a tag key of "Stage" and value of "NonProd", you can specify that as a condition.

专家

MuraliAtAWS

已回答 2 年前

AWS-User-6631477
2 年前
thanks for your answer MuraliAtAWS. So a policy with these controls (see example) is not possible?

"Resource": [ "arn:aws:appstream:eu-central-1:123.....:image-builder/imagebuilder01" "arn:aws:appstream:eu-central-1:123.....:stack/stack01", "arn:aws:appstream:eu-central-1:123.....:app-block/", "arn:aws:appstream:eu-central-1:123.....:fleet/fleet1", "arn:aws:appstream:eu-central-1:123.....:application/", "arn:aws:appstream:eu-central-1:123.....:image/image01" ], "Condition": { "StringEqualsIfExists": { "aws:username": "user01" } }

Policy IAM user Appstream2.0

相关内容