携手创作,共同成长!这是我参与「掘金日新计划 · 8 月更文挑战」的第1天,点击查看活动详情
AWS IAM权限模型介绍
AWS IAM 权限模型包括Account、User、Role、Group、Policy、Permission 以及相互之间的关系,其关系如下图所示。
具体对权限模型的介绍见官网,这篇文章的主题讲解如何获取与用户或角色关联的策略(内联策略-Inline Policy和托管策略-Managed Policy)。
内联策略是嵌入在 IAM 身份(用户、组或角色)中的策略;托管策略 是由 AWS 创建和管理的独立策略;两者最大的区别是后者有独立的Resource Arn,两者合在一起才是IAM 身份完整的策略,详情请参考https://docs.aws.amazon.com/zhcn/IAM/latest/UserGuide/accesspolicies_managed-vs-inline.html。
取附加在 IAM User 上的 IAM Policy (Managed Policy)
step1.列出所有的 IAM Users(list-users) https://docs.aws.amazon.com/cli/latest/reference/iam/list-users.html
step2.获取附加在 IAM User 的 IAM policy (list-attached-user-policies) https://docs.aws.amazon.com/cli/latest/reference/iam/list-attached-user-policies.html
会得到以下输出:
json { "AttachedPolicies": [ { "PolicyName": "AutoScalingFullAccess", "PolicyArn": "arn:aws:iam::123456789012:policy/MyEC2Policy" } ] } step3.获取某个 Poilcy 的默认版本号(get-policy) https://docs.aws.amazon.com/cli/latest/reference/iam/get-policy.html 会得到以下输出:
```json { "Policy": { "PolicyName": "MyEC2Policy", "PolicyId": "ANPAIZT2BABFC6H2KPSEU", "Arn": "arn:aws:iam::123456789012:policy/MyEC2Policy", "Path": "/", "DefaultVersionId": "v2", <----------- 取得默认版本 "AttachmentCount": 0, "PermissionsBoundaryUsageCount": 0, "IsAttachable": true, "Description": "Allow users to start and start EC2 instances.", "CreateDate": "2019-07-21T12:08:28Z", "UpdateDate": "2019-05-29T23:06:26Z", "Tags": [] } }
```
step4.获取某个 Policy 的内容(get-policy-version) https://docs.aws.amazon.com/cli/latest/reference/iam/get-policy-version.html 会得到以下输出: json { "PolicyVersion": { "Document": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:StartInstances", "ec2:StopInstances" ], "Resource": "arn:aws:ec2:*:*:instance/*" }, { "Effect": "Allow", "Action": "ec2:DescribeInstances", "Resource": "*" }, { "Effect": "Deny", "Action": "ec2:TerminateInstances", "Resource": "*" } ] }, "VersionId": "v2", "IsDefaultVersion": true, "CreateDate": "2020-05-29T23:06:26Z" } }
获取IAM 用户的某个 Inline policy 的内容
需要用到get-user-policy https://docs.aws.amazon.com/cli/latest/reference/iam/get-user-policy.html 会得到以下输出:
json { "UserName": "WStester", "PolicyName": "IAMLimitedAdmin", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "workspaces:*", "ds:*" ], "Resource": "*" } ] } }