針對 AWS Control Tower 使用身分型政策 (IAM 政策) - AWS Control Tower

本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。

針對 AWS Control Tower 使用身分型政策 (IAM 政策)

本主題提供以身分為基礎的政策範例,這些政策示範帳戶管理員如何將許可政策附加到 IAM 身分 (亦即使用者、群組和角色),進而授予對 AWS Control Tower 資源執行操作的許可。

重要

我們建議您先檢閱介紹性主題,其中說明可用於管理 AWS Control Tower 資源存取權的基本概念和選項。如需詳細資訊,請參閱 管理 AWS Control Tower 資源存取權限的概觀

AWS ControlTowerAdmin 角色

這個角色為 AWS Control Tower 提供了維護 landing zone 域至關重要的基礎設施的存取權。該AWS ControlTowerAdmin角色需要附加的受管政策和 IAM 角色的角色信任政策。角色信任原則是以資源為基礎的原則,可指定哪些主體可以擔任該角色。

以下是此角色信任政策的範例程式碼片段:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "controltower.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }

要從 AWS CLI 創建此角色,並將其放入名為的文件中trust.json,以下是 CLI 命令的示例:

aws iam create-role --role-name AWSControlTowerAdmin --path /service-role/ --assume-role-policy-document file://trust.json

此角色需要兩個 IAM 政策。

  1. 內嵌政策,例如:

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:DescribeAvailabilityZones", "Resource": "*" } ] }
  2. 接下來的受管理策略,也就是AWS ControlTowerServiceRolePolicy.

AWS ControlTowerServiceRolePolicy

AWS ControlTowerServiceRolePolicy是一項受 AWS管政策,用於定義建立和管理 AWS Control Tower 資源的許可,例如 AWS CloudFormation 堆疊集和堆疊執行個體、 AWS CloudTrail 日誌檔、AWS Control Tower 的組態彙總器,以及由 AWS Control Tower 管理的 AWS Organizations 帳戶和組織單位 (OU)。

此受管理策略的更新摘要列於表格中AWS Control Tower 的受管政策

如需詳細資訊,請參閱 AWS 受管政策參考指南AWSControlTowerServiceRolePolicy中的。

受管理的策略名稱:AWS ControlTowerServiceRolePolicy

的 JSON 加工品如AWS ControlTowerServiceRolePolicy下:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudformation:CreateStack", "cloudformation:CreateStackInstances", "cloudformation:CreateStackSet", "cloudformation:DeleteStack", "cloudformation:DeleteStackInstances", "cloudformation:DeleteStackSet", "cloudformation:DescribeStackInstance", "cloudformation:DescribeStacks", "cloudformation:DescribeStackSet", "cloudformation:DescribeStackSetOperation", "cloudformation:ListStackInstances", "cloudformation:UpdateStack", "cloudformation:UpdateStackInstances", "cloudformation:UpdateStackSet" ], "Resource": [ "arn:aws:cloudformation:*:*:type/resource/AWS-IAM-Role" ] }, { "Effect": "Allow", "Action": [ "account:EnableRegion", "account:ListRegions", "account:GetRegionOptStatus" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "cloudformation:CreateStack", "cloudformation:CreateStackInstances", "cloudformation:CreateStackSet", "cloudformation:DeleteStack", "cloudformation:DeleteStackInstances", "cloudformation:DeleteStackSet", "cloudformation:DescribeStackInstance", "cloudformation:DescribeStacks", "cloudformation:DescribeStackSet", "cloudformation:DescribeStackSetOperation", "cloudformation:GetTemplate", "cloudformation:ListStackInstances", "cloudformation:UpdateStack", "cloudformation:UpdateStackInstances", "cloudformation:UpdateStackSet" ], "Resource": [ "arn:aws:cloudformation:*:*:stack/AWSControlTower*/*", "arn:aws:cloudformation:*:*:stack/StackSet-AWSControlTower*/*", "arn:aws:cloudformation:*:*:stackset/AWSControlTower*:*", "arn:aws:cloudformation:*:*:stackset-target/AWSControlTower*/*" ] }, { "Effect": "Allow", "Action": [ "cloudtrail:CreateTrail", "cloudtrail:DeleteTrail", "cloudtrail:GetTrailStatus", "cloudtrail:StartLogging", "cloudtrail:StopLogging", "cloudtrail:UpdateTrail", "cloudtrail:PutEventSelectors", "logs:CreateLogStream", "logs:PutLogEvents", "logs:PutRetentionPolicy" ], "Resource": [ "arn:aws:logs:*:*:log-group:aws-controltower/CloudTrailLogs:*", "arn:aws:cloudtrail:*:*:trail/aws-controltower*" ] }, { "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::aws-controltower*/*" ] }, { "Effect": "Allow", "Action": [ "sts:AssumeRole" ], "Resource": [ "arn:aws:iam::*:role/AWSControlTowerExecution", "arn:aws:iam::*:role/AWSControlTowerBlueprintAccess" ] }, { "Effect": "Allow", "Action": [ "cloudtrail:DescribeTrails", "ec2:DescribeAvailabilityZones", "iam:ListRoles", "logs:CreateLogGroup", "logs:DescribeLogGroups", "organizations:CreateAccount", "organizations:DescribeAccount", "organizations:DescribeCreateAccountStatus", "organizations:DescribeOrganization", "organizations:DescribeOrganizationalUnit", "organizations:DescribePolicy", "organizations:ListAccounts", "organizations:ListAccountsForParent", "organizations:ListAWSServiceAccessForOrganization", "organizations:ListChildren", "organizations:ListOrganizationalUnitsForParent", "organizations:ListParents", "organizations:ListPoliciesForTarget", "organizations:ListTargetsForPolicy", "organizations:ListRoots", "organizations:MoveAccount", "servicecatalog:AssociatePrincipalWithPortfolio" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:GetRole", "iam:GetUser", "iam:ListAttachedRolePolicies", "iam:GetRolePolicy" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::*:role/service-role/AWSControlTowerStackSetRole", "arn:aws:iam::*:role/service-role/AWSControlTowerCloudTrailRole", "arn:aws:iam::*:role/service-role/AWSControlTowerConfigAggregatorRoleForOrganizations" ] }, { "Effect": "Allow", "Action": [ "config:DeleteConfigurationAggregator", "config:PutConfigurationAggregator", "config:TagResource" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/aws-control-tower": "managed-by-control-tower" } } }, { "Effect": "Allow", "Action": [ "organizations:EnableAWSServiceAccess", "organizations:DisableAWSServiceAccess" ], "Resource": "*", "Condition": { "StringLike": { "organizations:ServicePrincipal": [ "config.amazonaws.com", "cloudtrail.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringEquals": { "iam:AWSServiceName": "cloudtrail.amazonaws.com" } } } ] }

角色信任政策:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "controltower.amazonaws.com" ] }, "Action": "sts:AssumeRole" } ] }

內嵌政策是AWSControlTowerAdminPolicy

{ "Version": "2012-10-17", "Statement": [ { "Action": "ec2:DescribeAvailabilityZones", "Resource": "*", "Effect": "Allow" } ] }

AWS ControlTowerStackSetRole

AWS CloudFormation 擔任此角色在 AWS Control Tower 建立的帳戶中部署堆疊集。內嵌政策

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "sts:AssumeRole" ], "Resource": [ "arn:aws:iam::*:role/AWSControlTowerExecution" ], "Effect": "Allow" } ] }

信任政策

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "cloudformation.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }

AWS ControlTowerCloudTrailRole

AWS Control Tower 可 CloudTrail 作為最佳實務,並將此角色提供給 CloudTrail。 CloudTrail假設此角色可建立和發佈 CloudTrail 記錄檔。內嵌政策

{ "Version": "2012-10-17", "Statement": [ { "Action": "logs:CreateLogStream", "Resource": "arn:aws:logs:*:*:log-group:aws-controltower/CloudTrailLogs:*", "Effect": "Allow" }, { "Action": "logs:PutLogEvents", "Resource": "arn:aws:logs:*:*:log-group:aws-controltower/CloudTrailLogs:*", "Effect": "Allow" } ] }

信任政策

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "cloudtrail.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }

AWSControlTowerBlueprintAccess 角色需求

AWS Control Tower 要求您在相同組織內的指定藍圖中樞帳戶中建立AWSControlTowerBlueprintAccess角色。

Role name (角色名稱)

角色名稱必須是AWSControlTowerBlueprintAccess

角色信任原則

角色必須設定為信任下列主參與者:

  • 在管理帳戶中使用 AWS Control Tower 的主體。

  • 管理帳戶中的AWSControlTowerAdmin角色。

下列範例顯示最低權限信任原則。當您制定自己的政策時,請使YourManagementAccountId用 AWS Control Tower 管理帳戶的實際會員 ID 取代該術語,並以管理帳戶YourControlTowerUserRole的 IAM 角色識別碼取代該術語。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::YourManagementAccountId:role/service-role/AWSControlTowerAdmin", "arn:aws:iam::YourManagementAccountId:role/YourControlTowerUserRole" ] }, "Action": "sts:AssumeRole", "Condition": {} } ] }

角色權限

您必須將受管理的策略附加AWSServiceCatalogAdminFullAccess至角色。

AWSServiceRoleForAWSControlTower

這個角色可讓 AWS Control Tower 存取日誌存取帳戶、稽核帳戶和成員帳戶,以執行維護 landing zone 域至關重要的操作,例如通知您資源漂移。

AWSServiceRoleForAWSControlTower角色需要附加的受管政策和 IAM 角色的角色信任政策。

此角色的受管理策略:AWSControlTowerAccountServiceRolePolicy

角色信任政策:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "controltower.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }

AWSControlTowerAccountServiceRolePolicy

這項 AWS受管政策可讓 AWS Control Tower 呼叫代表您 AWS 提供自動化帳戶組態和集中控管的服務。

該政策包含 AWS Control Tower 的最低許可,可針對屬於 Security Hub 服務管理標準:AWS Control Twer 的一部分的 Security Hub 控制項所管理的資源實作 AWS Security Hub 發現項目轉送,並防止變更限制管理客戶帳戶的能力。它是後台 AWS Security Hub 漂移檢測過程的一部分,不是由客戶直接啟動的。

該政策授予在每個成員帳戶中建立 Amazon EventBridge 規則的許可,特別是針對 Security Hub 控制項,而且這些規則必須指定精確的規則 EventPattern。此外,規則只能在由我們的服務主體管理的規則上運作。

服務主體:controltower.amazonaws.com

的 JSON 加工品如AWSControlTowerAccountServiceRolePolicy下:

{ "Version": "2012-10-17", "Statement": [ { //For creating the managed rule "Sid": "AllowPutRuleOnSpecificSourcesAndDetailTypes", "Effect": "Allow", "Action": "events:PutRule", "Resource": "arn:aws:events:*:*:rule/*ControlTower*", "Condition": { "ForAnyValue:StringEquals": { "events:source": "aws.securityhub" }, "Null": { "events:detail-type": "false" }, "StringEquals": { "events:ManagedBy": "controltower.amazonaws.com", "events:detail-type": "Security Hub Findings - Imported" } } }, // Other operations to manage the managed rule { "Sid": "AllowOtherOperationsOnRulesManagedByControlTower", "Effect": "Allow", "Action": [ "events:DeleteRule", "events:EnableRule", "events:DisableRule", "events:PutTargets", "events:RemoveTargets" ], "Resource": "arn:aws:events:*:*:rule/*ControlTower*", "Condition": { "StringEquals": { "events:ManagedBy": "controltower.amazonaws.com" } } }, // More managed rule permissions { "Sid": "AllowDescribeOperationsOnRulesManagedByControlTower", "Effect": "Allow", "Action": [ "events:DescribeRule", "events:ListTargetsByRule" ], "Resource": "arn:aws:events:*:*:rule/*ControlTower*" }, // Add permission to publish the security notifications to SNS { "Sid": "AllowControlTowerToPublishSecurityNotifications", "Effect": "Allow", "Action": "sns:publish", "Resource": "arn:aws:sns:*:*:aws-controltower-AggregateSecurityNotifications", "Condition": { "StringEquals": { "aws:PrincipalAccount": "${aws:ResourceAccount}" } } }, // For drift verification { "Sid": "AllowActionsForSecurityHubIntegration", "Effect": "Allow", "Action": [ "securityhub:DescribeStandardsControls", "securityhub:GetEnabledStandards" ], "Resource": "arn:aws:securityhub:*:*:hub/default" } ] }

此受管理策略的更新摘要列於表格中AWS Control Tower 的受管政策