1 個回答
- 最新
- 最多得票
- 最多評論
1
The following documentation shows that Condition keys cannot be set for the policies required to view IAM Roles and IAM Groups.
In other words, it would be difficult to display them in different environments.
https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsidentityandaccessmanagementiam.html
It is recommended to set the necessary ARNs in the resource section as it seems possible to narrow down the ARNs in the resource.
As an example, the following will limit the user and role details to those of the ARN set for the resource.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:ListUsers",
"iam:ListRoles",
"iam:ListGroups"
],
"Resource": ["*"]
},
{
"Effect": "Allow",
"Action": [
"iam:GetUser",
"iam:GetGroup",
"iam:GetRole"
],
"Resource": ["arn:aws:iam::AWS Account ID:user/IAM User Name",
"arn:aws:iam::AWS Account ID:role/IAM Role Name",
"arn:aws:iam::AWS Account ID:group/IAM Group Name"
]
}
]
}
相關內容
- AWS 官方已更新 2 年前