今天收到 AWS 的通知
內容是說明啟用新的 managed policies
- AWSLambda_FullAccess
- AWSLambda_ReadOnlyAccess
它是對應舊版的
- AWSLambdaFullAccess
- AWSLambdaReadOnlyAccess
比較 AWSLambdaFullAccess 與 AWSLambda_FullAccess
可以觀察一下舊版 arn:aws:iam::aws:policy/AWSLambdaFullAccess 的內容
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudformation:DescribeChangeSet", "cloudformation:DescribeStackResources", "cloudformation:DescribeStacks", "cloudformation:GetTemplate", "cloudformation:ListStackResources", "cloudwatch:*", "cognito-identity:ListIdentityPools", "cognito-sync:GetCognitoEvents", "cognito-sync:SetCognitoEvents", "dynamodb:*", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "events:*", "iam:GetPolicy", "iam:GetPolicyVersion", "iam:GetRole", "iam:GetRolePolicy", "iam:ListAttachedRolePolicies", "iam:ListRolePolicies", "iam:ListRoles", "iam:PassRole", "iot:AttachPrincipalPolicy", "iot:AttachThingPrincipal", "iot:CreateKeysAndCertificate", "iot:CreatePolicy", "iot:CreateThing", "iot:CreateTopicRule", "iot:DescribeEndpoint", "iot:GetTopicRule", "iot:ListPolicies", "iot:ListThings", "iot:ListTopicRules", "iot:ReplaceTopicRule", "kinesis:DescribeStream", "kinesis:ListStreams", "kinesis:PutRecord", "kms:ListAliases", "lambda:*", "logs:*", "s3:*", "sns:ListSubscriptions", "sns:ListSubscriptionsByTopic", "sns:ListTopics", "sns:Publish", "sns:Subscribe", "sns:Unsubscribe", "sqs:ListQueues", "sqs:SendMessage", "tag:GetResources", "xray:PutTelemetryRecords", "xray:PutTraceSegments" ], "Resource": "*" } ] }
與新版的 arn:aws:iam::aws:policy/AWSLambda_FullAccess
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudformation:DescribeStacks", "cloudformation:ListStackResources", "cloudwatch:ListMetrics", "cloudwatch:GetMetricData", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "kms:ListAliases", "iam:GetPolicy", "iam:GetPolicyVersion", "iam:GetRole", "iam:GetRolePolicy", "iam:ListAttachedRolePolicies", "iam:ListRolePolicies", "iam:ListRoles", "lambda:*", "logs:DescribeLogGroups", "states:DescribeStateMachine", "states:ListStateMachines", "tag:GetResources", "xray:GetTraceSummaries", "xray:BatchGetTraces" ], "Resource": "*" }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": "*", "Condition": { "StringEquals": { "iam:PassedToService": "lambda.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "logs:DescribeLogStreams", "logs:GetLogEvents", "logs:FilterLogEvents" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/lambda/*" } ] }
比較 AWSLambdaReadOnlyAccess 與 AWSLambda_ReadOnlyAccess
再看看 arn:aws:iam::aws:policy/AWSLambdaReadOnlyAccess
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudformation:DescribeChangeSet", "cloudformation:DescribeStackResources", "cloudformation:DescribeStacks", "cloudformation:GetTemplate", "cloudformation:ListStackResources", "cloudwatch:Describe*", "cloudwatch:Get*", "cloudwatch:List*", "cognito-identity:ListIdentityPools", "cognito-sync:GetCognitoEvents", "dynamodb:BatchGetItem", "dynamodb:DescribeStream", "dynamodb:DescribeTable", "dynamodb:GetItem", "dynamodb:ListStreams", "dynamodb:ListTables", "dynamodb:Query", "dynamodb:Scan", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "events:Describe*", "events:List*", "iam:GetPolicy", "iam:GetPolicyVersion", "iam:GetRole", "iam:GetRolePolicy", "iam:ListAttachedRolePolicies", "iam:ListRolePolicies", "iam:ListRoles", "iot:DescribeEndpoint", "iot:GetTopicRule", "iot:ListPolicies", "iot:ListThings", "iot:ListTopicRules", "kinesis:DescribeStream", "kinesis:ListStreams", "kms:ListAliases", "lambda:Get*", "lambda:List*", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:DescribeMetricFilters", "logs:GetLogEvents", "s3:Get*", "s3:List*", "sns:ListSubscriptions", "sns:ListSubscriptionsByTopic", "sns:ListTopics", "sqs:ListQueues", "tag:GetResources" ], "Resource": "*" } ] }
與新版 arn:aws:iam::aws:policy/AWSLambda_ReadOnlyAccess
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudformation:DescribeStacks", "cloudformation:ListStackResources", "cloudwatch:GetMetricData", "cloudwatch:ListMetrics", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "kms:ListAliases", "iam:GetPolicy", "iam:GetPolicyVersion", "iam:GetRole", "iam:GetRolePolicy", "iam:ListAttachedRolePolicies", "iam:ListRolePolicies", "iam:ListRoles", "logs:DescribeLogGroups", "lambda:Get*", "lambda:List*", "states:DescribeStateMachine", "states:ListStateMachines", "tag:GetResources", "xray:GetTraceSummaries", "xray:BatchGetTraces" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "logs:DescribeLogStreams", "logs:GetLogEvents", "logs:FilterLogEvents" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/lambda/*" } ] }
限縮權限
可以發現權限部分明顯地做了一個限縮變得更安全
棄用時間
而舊版的 AWSLambdaFullAccess 與 AWSLambdaReadOnlyAccess 目前還是可以正常使用但是在 2021 年 1 月 25 日會棄用
已取代的 AWS 受管政策
另外在這邊說明一下如果已經有被棄用的 policies 會有以下幾種特性
- 目前的 policies 是可以正常使用的包誇使用者、群組或角色除非到了棄用時間
- 這些舊的 policies 並沒有辦法與使用者、群組或角色連接
- 如果舊的使用者、群組或角色有這個 policies 移除之後也沒有辦法再加回來
有疑問可以看一下 AWS docs
參考資料
- https://docs.aws.amazon.com/zh_tw/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies
- https://docs.aws.amazon.com/zh_tw/lambda/latest/dg/access-control-identity-based.html
《AWS CDK 完全學習手冊:打造雲端基礎架構程式碼 IaC》
第 12 屆 iT 邦幫忙鐵人賽 DevOps 組冠的《用 CDK 定 義 AWS 架構》
第 11 屆 iT 邦幫忙鐵人賽《LINE bot 好好玩 30 天玩轉 LINE API》
一個熱愛分享的雲端工程師!