深入探讨身份和访问管理 (IAM) 政策评估 [重复].pdf

《深入探讨身份和访问管理 (IAM) 政策评估 [重复].pdf》由会员分享，可在线阅读，更多相关《深入探讨身份和访问管理 (IAM) 政策评估 [重复].pdf（155页珍藏版）》请在三个皮匠报告上搜索。

1、 2025,Amazon Web Services,Inc.or its affiliates.All rights reserved.2025,Amazon Web Services,Inc.or its affiliates.All rights reserved.2025,Amazon Web Services,Inc.or its affiliates.All rights reserved.IAM policy evaluation deep diveS E C 4 0 2Matt LuttrellPrincipal Security EngineerAWS IdentityKhal

2、ed SinnoPrincipal EngineerAWS Identity 2025,Amazon Web Services,Inc.or its affiliates.All rights reserved.The authorization contextConditionsPolicy evaluation chainsReal-world policy examplesAgenda 2025,Amazon Web Services,Inc.or its affiliates.All rights reserved.Explicit allow At least one matchin

3、g allow statement,no matching deny statementsImplicit deny No matching allow or deny statementsExplicit deny At least one matching deny statementPossible policy evaluation results 2025,Amazon Web Services,Inc.or its affiliates.All rights reserved.Authorization contextPrincipal:AROADBQP57FF2AEXAMPLEA

4、ction:ec2:CreateNetworkInterfaceResource:arn:aws:ec2:us-east-1:111111111111:network-interface/eni-123456Context:aws:UserId AROADBQP57FF2AEXAMPLE:BobsSession aws:PrincipalAccount 123456789012 aws:PrincipalOrgId o-example aws:PrincipalARN arn:aws:iam:123456789012:role/Bob aws:MultiFactorAuthPresent fa

5、lse aws:CurrentTime 2020-04-01T00:00:00Z aws:EpochTime 1745946304 aws:SourceIp 127.0.0.1 aws:PrincipalTag/dept 123 aws:PrincipalTag/project blue aws:RequestTag/dept 123 2025,Amazon Web Services,Inc.or its affiliates.All rights reserved.PrincipalId:AROAJU7BV4QWEXAMPLEContext:aws:UserId AROAJU7BV4QWEX

6、AMPLE:JohnsSession aws:PrincipalAccount 111111111111 aws:PrincipalOrgId o-example aws:PrincipalARN arn:aws:iam:111111111111:role/John aws:PrincipalTag/dept 123Context:aws:MultiFactorAuthPresent false aws:CurrentTime 2020-04-01T00:00:00Z aws:EpochTime 1745946304 aws:SourceIp 127.0.0.1Request contextP