我正在尝试使用 IAM 设置 CI/CD,以便只有特定 IAM 用户才能更新我们的Prod CloudFormation 堆栈。
但我们对 CloudFormation 上的更新策略如何工作感到困惑。
如果我的 IAM 用户只有一项策略:Prod CloudFormation 堆栈上的 Update,他是否能够编辑/更改此堆栈中的任何资源,即使他没有这些特定权限?
例如,我在该堆栈上有一个 S3 存储桶,并且我在更新时更改了它的名称,即使该用户只有更新策略,他也能够执行此操作吗?
最佳答案
If I have an IAM user who only has one policy :
UpdateonProdCloudFormation stack, will he be able to edit/change any resources in this stack even though he doesn't have those specific permissions?
没有。
Ref :
In addition to AWS CloudFormation actions, you can manage what AWS services and resources are available to each user. That way, you can control which resources users can access when they use AWS CloudFormation. For example, you can specify which users can create Amazon EC2 instances, terminate database instances, or update VPCs. Those same permissions are applied anytime they use AWS CloudFormation to do those actions.
关于amazon-web-services - CloudFormation 更新策略如何运作?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/65183263/