如何仅授予特定的 AWS "iam : putUserPolicy" 权限?

How can I give only specific AWS "iam : putUserPolicy" permissions?

用例:在我们的应用程序中,我们需要向 IAM 实体授予 iam : putUserPolicy 权限。那是微不足道的。我们可以将下面提到的策略分配给我们要授予 iam : putUserPolicy 权限

的 IAM 实体
{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":[
            "iam : putUserPolicy"
         ],
         "Resource":"*"
      }
   ]
}

假设我们有另一个要求并将 putUserPolicy 分配给 IAM 用户 U1。这意味着现在 U1 可以将任何策略分配给任何 IAM 用户。第二个"ANY"可以通过将"Resource":"*"改为"Resource":"user-arn"来避免,但是我们如何处理第一个ANY呢? 有没有一种方法可以授予 "iam : putUserPolicy" 权限,以便仅允许“iam : CreateUser" 权限?或者可能仅 "iam : CreateUser" 被阻止并允许其余所有策略?

我浏览了 AWS 文档并找到了 conditions kind of helpful but I could not find any IAM service-specific keys and values though I did find some for EC2 and SNS

例如,我们可以分配以下策略:

{
   "Version":"2012-10-17",
   "Statement":[{
      "Effect":"Allow",
      "Action":["s3:ListBucket"],
      "Resource":"*",
      "Condition":{"StringNotEquals":["s3:prefix":"arn:aws:s3:::BUCKET-NAME/home/"]}
      }
   ]
}

它授予除特定存储桶中的主文件夹之外的所有其他 S3 文件夹和存储桶的权限。

我们可以做这样的事情吗?

{
   "Version":"2012-10-17",
   "Statement":[{
      "Effect":"Allow",
      "Action":["iam:PutUserPolicy"],
      "Resource":"*",
      "Condition":{"StringNotEquals":["iam:policy-contains":"iam:CreateUser"]}
      }
   ]
}

A​​WS 刚刚推出 Managed Policies for AWS Identity & Access Management, which provide a fresh approach to sharing and maintaining IAM policies across IAM entities, notably also including Delegating permissions management, see Controlling Access to Managed Policies:

Managed policies give you precise control over how your users can manage policies and manage permissions for others. You can separately control who can create, update, and delete policies, and who can attach and detach policies to and from principal entities (users, groups, and roles). You can also control which policies a user can attach or detach, and to and from which entities. [emphasis mine]

A typical scenario is that you give permissions to an account administrator to create, update, and delete policies. Then, you give permissions to a team leader or other limited administrator to attach and detach these policies [...].

Controlling Permissions for Attaching and Detaching Managed Policies 部分提供了一个示例策略,它允许仅将特定的托管策略附加到特定的组或角色,这在概念上允许您实现您正在寻找的东西:

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": [
      "iam:AttachGroupPolicy",
      "iam:AttachRolePolicy"
    ],
    "Resource": [
      "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:group/TEAM-A/*",
      "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:role/TEAM-A/*"
    ],
    "Condition": {"ArnLike": 
      {"iam:PolicyArn": "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:policy/TEAM-A/*"}
    }
  }
}