本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
在 AWS Control Tower 中使用基于身份的策略(IAM 策略)
本主题提供了基于身份的策略示例,这些示例演示了账户管理员如何将权限策略附加到 IAM 身份(即用户、群组和角色),从而授予对 AWS Control Tower 资源执行操作的权限。
重要
我们建议您先阅读介绍性主题,这些主题解释了管理您的 AWS Control Tower 资源访问权限的基本概念和选项。有关更多信息,请参阅 管理您的 Cont AWS rol Tower 资源的访问权限概述。
AWS ControlTowerAdmin 角色
此角色为 AWS Control Tower 提供了访问对维护着陆区至关重要的基础设施的权限。该AWS ControlTowerAdmin角色需要附加的托管策略和 IAM 角色的角色信任策略。角色信任策略是一种基于资源的策略,用于指定哪些委托人可以担任该角色。
以下是此角色信任策略的示例片段:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "controltower.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
要从 AWS CLI 创建此角色并将其放入名为的文件中trust.json,以下是 CLI 命令示例:
aws iam create-role --role-name AWSControlTowerAdmin --path /service-role/ --assume-role-policy-document file://trust.json
此角色需要两个 IAM 策略。
内联策略,例如:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:DescribeAvailabilityZones", "Resource": "*" } ] }随后的托管策略,即
AWS ControlTowerServiceRolePolicy。
AWS ControlTowerServiceRolePolicy
AWS ControlTowerServiceRolePolicy是一项 AWS托管策略,它定义了创建和管理 AWS Control Tower 资源的权限,例如堆栈 AWS CloudFormation 集和堆栈实例、 AWS CloudTrail 日志文件、AWS Control Tower 的配置聚合器以及受 AWS Control Tower 管理的 AWS Organizations 账户和组织单位 (OU)。
表中汇总了此托管策略的更新AWS Control Tower 的托管策略。
有关更多信息,请参阅 AWSControlTowerServiceRolePolicyAWS 托管策略参考指南。
托管策略名称:AWS ControlTowerServiceRolePolicy
的 JSON 构AWS ControlTowerServiceRolePolicy件如下所示:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudformation:CreateStack", "cloudformation:CreateStackInstances", "cloudformation:CreateStackSet", "cloudformation:DeleteStack", "cloudformation:DeleteStackInstances", "cloudformation:DeleteStackSet", "cloudformation:DescribeStackInstance", "cloudformation:DescribeStacks", "cloudformation:DescribeStackSet", "cloudformation:DescribeStackSetOperation", "cloudformation:ListStackInstances", "cloudformation:UpdateStack", "cloudformation:UpdateStackInstances", "cloudformation:UpdateStackSet" ], "Resource": [ "arn:aws:cloudformation:*:*:type/resource/AWS-IAM-Role" ] }, { "Effect": "Allow", "Action": [ "account:EnableRegion", "account:ListRegions", "account:GetRegionOptStatus" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "cloudformation:CreateStack", "cloudformation:CreateStackInstances", "cloudformation:CreateStackSet", "cloudformation:DeleteStack", "cloudformation:DeleteStackInstances", "cloudformation:DeleteStackSet", "cloudformation:DescribeStackInstance", "cloudformation:DescribeStacks", "cloudformation:DescribeStackSet", "cloudformation:DescribeStackSetOperation", "cloudformation:GetTemplate", "cloudformation:ListStackInstances", "cloudformation:UpdateStack", "cloudformation:UpdateStackInstances", "cloudformation:UpdateStackSet" ], "Resource": [ "arn:aws:cloudformation:*:*:stack/AWSControlTower*/*", "arn:aws:cloudformation:*:*:stack/StackSet-AWSControlTower*/*", "arn:aws:cloudformation:*:*:stackset/AWSControlTower*:*", "arn:aws:cloudformation:*:*:stackset-target/AWSControlTower*/*" ] }, { "Effect": "Allow", "Action": [ "cloudtrail:CreateTrail", "cloudtrail:DeleteTrail", "cloudtrail:GetTrailStatus", "cloudtrail:StartLogging", "cloudtrail:StopLogging", "cloudtrail:UpdateTrail", "cloudtrail:PutEventSelectors", "logs:CreateLogStream", "logs:PutLogEvents", "logs:PutRetentionPolicy" ], "Resource": [ "arn:aws:logs:*:*:log-group:aws-controltower/CloudTrailLogs:*", "arn:aws:cloudtrail:*:*:trail/aws-controltower*" ] }, { "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::aws-controltower*/*" ] }, { "Effect": "Allow", "Action": [ "sts:AssumeRole" ], "Resource": [ "arn:aws:iam::*:role/AWSControlTowerExecution", "arn:aws:iam::*:role/AWSControlTowerBlueprintAccess" ] }, { "Effect": "Allow", "Action": [ "cloudtrail:DescribeTrails", "ec2:DescribeAvailabilityZones", "iam:ListRoles", "logs:CreateLogGroup", "logs:DescribeLogGroups", "organizations:CreateAccount", "organizations:DescribeAccount", "organizations:DescribeCreateAccountStatus", "organizations:DescribeOrganization", "organizations:DescribeOrganizationalUnit", "organizations:DescribePolicy", "organizations:ListAccounts", "organizations:ListAccountsForParent", "organizations:ListAWSServiceAccessForOrganization", "organizations:ListChildren", "organizations:ListOrganizationalUnitsForParent", "organizations:ListParents", "organizations:ListPoliciesForTarget", "organizations:ListTargetsForPolicy", "organizations:ListRoots", "organizations:MoveAccount", "servicecatalog:AssociatePrincipalWithPortfolio" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:GetRole", "iam:GetUser", "iam:ListAttachedRolePolicies", "iam:GetRolePolicy" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::*:role/service-role/AWSControlTowerStackSetRole", "arn:aws:iam::*:role/service-role/AWSControlTowerCloudTrailRole", "arn:aws:iam::*:role/service-role/AWSControlTowerConfigAggregatorRoleForOrganizations" ] }, { "Effect": "Allow", "Action": [ "config:DeleteConfigurationAggregator", "config:PutConfigurationAggregator", "config:TagResource" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/aws-control-tower": "managed-by-control-tower" } } }, { "Effect": "Allow", "Action": [ "organizations:EnableAWSServiceAccess", "organizations:DisableAWSServiceAccess" ], "Resource": "*", "Condition": { "StringLike": { "organizations:ServicePrincipal": [ "config.amazonaws.com", "cloudtrail.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringEquals": { "iam:AWSServiceName": "cloudtrail.amazonaws.com" } } } ] }
角色信任政策:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "controltower.amazonaws.com" ] }, "Action": "sts:AssumeRole" } ] }
内联策略是AWSControlTowerAdminPolicy:
{ "Version": "2012-10-17", "Statement": [ { "Action": "ec2:DescribeAvailabilityZones", "Resource": "*", "Effect": "Allow" } ] }
AWS ControlTowerStackSetRole
AWS CloudFormation 担任此角色是为了在 AWS Control Tower 创建的账户中部署堆栈集。内联策略:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "sts:AssumeRole" ], "Resource": [ "arn:aws:iam::*:role/AWSControlTowerExecution" ], "Effect": "Allow" } ] }
信任策略
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "cloudformation.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
AWS ControlTowerCloudTrailRole
AWS Control Tower CloudTrail 作为最佳实践启用,并将此角色提供给 CloudTrail。 CloudTrail担任此角色来创建和发布 CloudTrail 日志。内联策略:
{ "Version": "2012-10-17", "Statement": [ { "Action": "logs:CreateLogStream", "Resource": "arn:aws:logs:*:*:log-group:aws-controltower/CloudTrailLogs:*", "Effect": "Allow" }, { "Action": "logs:PutLogEvents", "Resource": "arn:aws:logs:*:*:log-group:aws-controltower/CloudTrailLogs:*", "Effect": "Allow" } ] }
信任策略
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "cloudtrail.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
AWSControlTowerBlueprintAccess 角色要求
AWS Control Tower 要求您在同一组织内的指定蓝图中心账户中创建AWSControlTowerBlueprintAccess角色。
角色名称
角色名称必须为 AWSControlTowerBlueprintAccess。
角色信任政策
必须将该角色设置为信任以下委托人:
-
在管理账户中使用 AWS Control Tower 的委托人。
-
管理账户中的
AWSControlTowerAdmin角色。
以下示例显示了最低权限的信任策略。当您制定自己的策略时,请将该术语YourManagementAccountId替换为您的 AWS Control Tower 管理账户的实际账户 ID,并将该术语YourControlTowerUserRole替换为管理账户的 IAM 角色标识符。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::YourManagementAccountId:role/service-role/AWSControlTowerAdmin", "arn:aws:iam::YourManagementAccountId:role/YourControlTowerUserRole" ] }, "Action": "sts:AssumeRole", "Condition": {} } ] }
角色权限
您需要将托管策略附加AWSServiceCatalogAdminFullAccess到该角色。
AWSServiceRoleForAWSControlTower
此角色为 AWS Control Tower 提供了访问日志存档账户、审计账户和成员账户的权限,用于对维护着陆区至关重要的操作,例如通知您有关资源漂移的情况。
该AWSServiceRoleForAWSControlTower角色需要附加的托管策略和 IAM 角色的角色信任策略。
此角色的托管策略:AWSControlTowerAccountServiceRolePolicy
角色信任政策:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "controltower.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
AWSControlTowerAccountServiceRolePolicy
此 AWS托管策略允许 AWS Control Tower 代表您调用提供自动账户配置和集中管理的 AWS 服务。
该策略包含 AWS Control Tower 对由 Security Hub 控件管理的资源实施 AWS Security Hub 调查结果转发的最低权限,这些资源是 Sec urity Hub 服务托管标准:AWS Control Tower 的一部分,并且它可以防止限制客户账户管理能力的更改。它是背景 AWS Security Hub 漂移检测过程的一部分,不是由客户直接启动的。
该策略允许在每个成员账户中创建 Amazon EventBridge 规则,特别是针对 Security Hub 控件的规则,并且这些规则必须指定确切的规则 EventPattern。此外,规则只能对我们的服务主体管理的规则起作用。
服务负责人:controltower.amazonaws.com
的 JSON 构AWSControlTowerAccountServiceRolePolicy件如下所示:
{ "Version": "2012-10-17", "Statement": [ { //For creating the managed rule "Sid": "AllowPutRuleOnSpecificSourcesAndDetailTypes", "Effect": "Allow", "Action": "events:PutRule", "Resource": "arn:aws:events:*:*:rule/*ControlTower*", "Condition": { "ForAnyValue:StringEquals": { "events:source": "aws.securityhub" }, "Null": { "events:detail-type": "false" }, "StringEquals": { "events:ManagedBy": "controltower.amazonaws.com", "events:detail-type": "Security Hub Findings - Imported" } } }, // Other operations to manage the managed rule { "Sid": "AllowOtherOperationsOnRulesManagedByControlTower", "Effect": "Allow", "Action": [ "events:DeleteRule", "events:EnableRule", "events:DisableRule", "events:PutTargets", "events:RemoveTargets" ], "Resource": "arn:aws:events:*:*:rule/*ControlTower*", "Condition": { "StringEquals": { "events:ManagedBy": "controltower.amazonaws.com" } } }, // More managed rule permissions { "Sid": "AllowDescribeOperationsOnRulesManagedByControlTower", "Effect": "Allow", "Action": [ "events:DescribeRule", "events:ListTargetsByRule" ], "Resource": "arn:aws:events:*:*:rule/*ControlTower*" }, // Add permission to publish the security notifications to SNS { "Sid": "AllowControlTowerToPublishSecurityNotifications", "Effect": "Allow", "Action": "sns:publish", "Resource": "arn:aws:sns:*:*:aws-controltower-AggregateSecurityNotifications", "Condition": { "StringEquals": { "aws:PrincipalAccount": "${aws:ResourceAccount}" } } }, // For drift verification { "Sid": "AllowActionsForSecurityHubIntegration", "Effect": "Allow", "Action": [ "securityhub:DescribeStandardsControls", "securityhub:GetEnabledStandards" ], "Resource": "arn:aws:securityhub:*:*:hub/default" } ] }
表中汇总了此托管策略的更新AWS Control Tower 的托管策略。
