我想创建一个 AWS IAM 策略,以确保请求的区域与请求者区域相同。
例如
| 拉姆达 | 资源可访问 | 资源无法访问 |
|---|---|---|
| arn:aws:lambda:REGION_1:ACCOUNT_1:函数:lambda_1 | arn:aws:dynamodb:REGION_1:ACCOUNT_1:表/table_1 | arn:aws:dynamodb:REGION_2:ACCOUNT_1:表/table_1 |
| arn:aws:lambda:REGION_2:ACCOUNT_1:函数:lambda_1 | arn:aws:dynamodb:REGION_2:ACCOUNT_1:表/table_1 | arn:aws:dynamodb:REGION_1:ACCOUNT_1:表/table_1 |
我知道如何使用两项政策来做到这一点,但我不想通过一项政策来实现相同的目标。
有没有办法制定这样的政策?
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": [
"dynamodb:*"
],
"Resource": [
"arn:aws:dynamodb:*:ACCOUNT_1:table/table_1"
],
"Condition": {
"StringEquals": {
"aws:RequestedRegion": [
"${LAMBDA_REGION}"
]
}
}
}
]
}
注意,以上政策不起作用
我尝试过之前的策略,寻找包含 lambda 所在区域的变量,但没有找到。
您可以使用具有多个语句的单个策略和
aws:SourceArn{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": [
"dynamodb:*"
],
"Resource": [
"arn:aws:dynamodb:REGION_1:ACCOUNT_1:table/table_1"
],
"Condition": {
"ArnEquals": {
"aws:SourceArn": "arn:aws:lambda:REGION_1:ACCOUNT_1:function:lambda_1"
}
}
},
{
"Sid": "Statement21",
"Effect": "Allow",
"Action": [
"dynamodb:*"
],
"Resource": [
"arn:aws:dynamodb:REGION_2:ACCOUNT_1:table/table_1"
],
"Condition": {
"ArnEquals": {
"aws:SourceArn": "arn:aws:lambda:REGION_2:ACCOUNT_1:function:lambda_1"
}
}
}
]
}