aws-iam
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseAWS IAM
AWS IAM
Manage identity and access in AWS.
管理AWS中的身份与访问权限。
IAM Policies
IAM 策略
json
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::my-bucket/*"
}]
}json
{
\"Version\": \"2012-10-17\",
\"Statement\": [{
\"Effect\": \"Allow\",
\"Action\": [
\"s3:GetObject\",
\"s3:PutObject\"
],
\"Resource\": \"arn:aws:s3:::my-bucket/*\"
}]
}Create Role
创建角色
bash
undefinedbash
undefinedCreate role with trust policy
Create role with trust policy
aws iam create-role
--role-name EC2AppRole
--assume-role-policy-document '{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": {"Service": "ec2.amazonaws.com"}, "Action": "sts:AssumeRole" }] }'
--role-name EC2AppRole
--assume-role-policy-document '{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": {"Service": "ec2.amazonaws.com"}, "Action": "sts:AssumeRole" }] }'
aws iam create-role
--role-name EC2AppRole
--assume-role-policy-document '{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": {"Service": "ec2.amazonaws.com"}, "Action": "sts:AssumeRole" }] }'
--role-name EC2AppRole
--assume-role-policy-document '{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": {"Service": "ec2.amazonaws.com"}, "Action": "sts:AssumeRole" }] }'
Attach policy
Attach policy
aws iam attach-role-policy
--role-name EC2AppRole
--policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess
--role-name EC2AppRole
--policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess
undefinedaws iam attach-role-policy
--role-name EC2AppRole
--policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess
--role-name EC2AppRole
--policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess
undefinedService-Linked Roles
服务关联角色
bash
undefinedbash
undefinedFor services like ECS, RDS
For services like ECS, RDS
aws iam create-service-linked-role
--aws-service-name ecs.amazonaws.com
--aws-service-name ecs.amazonaws.com
undefinedaws iam create-service-linked-role
--aws-service-name ecs.amazonaws.com
--aws-service-name ecs.amazonaws.com
undefinedBest Practices
最佳实践
yaml
security_practices:
- Use roles, not long-term credentials
- Implement least privilege
- Enable MFA
- Regular access reviews
- Use IAM Access Analyzer
- Implement SCPs for organizationsyaml
security_practices:
- Use roles, not long-term credentials
- Implement least privilege
- Enable MFA
- Regular access reviews
- Use IAM Access Analyzer
- Implement SCPs for organizationsPolicy Conditions
策略条件
json
{
"Condition": {
"StringEquals": {
"aws:RequestedRegion": "us-east-1"
},
"Bool": {
"aws:MultiFactorAuthPresent": "true"
}
}
}json
{
\"Condition\": {
\"StringEquals\": {
\"aws:RequestedRegion\": \"us-east-1\"
},
\"Bool\": {
\"aws:MultiFactorAuthPresent\": \"true\"
}
}
}Best Practices
最佳实践
- Follow least privilege
- Use IAM roles for applications
- Enable CloudTrail for auditing
- Regular credential rotation
- Use permission boundaries
- 遵循最小权限原则
- 为应用使用IAM角色
- 启用CloudTrail进行审计
- 定期轮换凭证
- 使用权限边界
Related Skills
相关技能
- terraform-aws - IaC deployment
- access-review - Access auditing
- terraform-aws - IaC部署
- access-review - 访问审计