携手创作,共同成长!这是我参与「掘金日新计划 · 8 月更文挑战」的第1天,点击查看活动详情
AWS IAM权限模型介绍
AWS IAM 权限模型包括Account、User、Role、Group、Policy、Permission 以及相互之间的关系,其关系如下图所示。
具体对权限模型的介绍见官网,这篇文章的主题讲解如何获取与用户或角色关联的策略(内联策略-Inline Policy和托管策略-Managed Policy)。
内联策略是嵌入在 IAM 身份(用户、组或角色)中的策略;托管策略 是由 AWS 创建和管理的独立策略;两者最大的区别是后者有独立的Resource Arn,两者合在一起才是IAM 身份完整的策略,详情请参考docs.aws.amazon.com/zh_cn/IAM/l…
取附加在 IAM User 上的 IAM Policy (Managed Policy)
step1.列出所有的 IAM Users(list-users) docs.aws.amazon.com/cli/latest/…
step2.获取附加在 IAM User 的 IAM policy (list-attached-user-policies) docs.aws.amazon.com/cli/latest/…
会得到以下输出:
{
"AttachedPolicies": [
{
"PolicyName": "AutoScalingFullAccess",
"PolicyArn": "arn:aws:iam::123456789012:policy/MyEC2Policy"
}
]
}
step3.获取某个 Poilcy 的默认版本号(get-policy) docs.aws.amazon.com/cli/latest/… 会得到以下输出:
{
"Policy": {
"PolicyName": "MyEC2Policy",
"PolicyId": "ANPAIZT2BABFC6H2KPSEU",
"Arn": "arn:aws:iam::123456789012:policy/MyEC2Policy",
"Path": "/",
"DefaultVersionId": "v2", <----------- 取得默认版本
"AttachmentCount": 0,
"PermissionsBoundaryUsageCount": 0,
"IsAttachable": true,
"Description": "Allow users to start and start EC2 instances.",
"CreateDate": "2019-07-21T12:08:28Z",
"UpdateDate": "2019-05-29T23:06:26Z",
"Tags": []
}
}
step4.获取某个 Policy 的内容(get-policy-version) docs.aws.amazon.com/cli/latest/… 会得到以下输出:
{
"PolicyVersion": {
"Document": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:StartInstances",
"ec2:StopInstances"
],
"Resource": "arn:aws:ec2:*:*:instance/*"
},
{
"Effect": "Allow",
"Action": "ec2:DescribeInstances",
"Resource": "*"
},
{
"Effect": "Deny",
"Action": "ec2:TerminateInstances",
"Resource": "*"
}
]
},
"VersionId": "v2",
"IsDefaultVersion": true,
"CreateDate": "2020-05-29T23:06:26Z"
}
}
获取IAM 用户的某个 Inline policy 的内容
需要用到get-user-policy docs.aws.amazon.com/cli/latest/… 会得到以下输出:
{
"UserName": "WStester",
"PolicyName": "IAMLimitedAdmin",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"workspaces:*",
"ds:*"
],
"Resource": "*"
}
]
}
}
