Restrict IAM users to a single VPC

后端未结

关注

 2  2000

青春惊慌失措 2021-01-27 18:48

I have two VPC in my account. One for Test and other for Prod environment.

I am trying to setup IAM user accounts for developers, with permission boundaries, so that deve

2条回答

旧巷少年郎 (楼主)

2021-01-27 18:57

What I get is you are trying to restrict users to the services which are under a particular VPC. I did the same thing for allowing users to update Lambda functions which are inside a particular VPC only. This can be done like below:

{
  "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowAllResources",
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        },
        {
            "Sid": "DenyLambdaUpdatIfNotInsideVPC",
            "Effect": "Deny",
            "Action": [
                "lambda:CreateFunction",
                "lambda:UpdateFunctionConfiguration"
            ],
            "Resource": "*",
            "Condition": {
                "StringNotEquals": {
                    "lambda:VpcIds": "your vpc id"
                }
            }
        }
    ]
}

In this way you can restrict users from accessing the resources which are outside your VPC by writing services and their specific actions in the deny statement.

0 讨论(0)

查看其它2个回答