implementing-aws-iam-permission-boundaries

在 AWS 中配置 IAM 权限边界,使安全团队能够安全地委托开发者创建角色,同时强制执行最大权限限制。

9 stars

Best use case

implementing-aws-iam-permission-boundaries is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

在 AWS 中配置 IAM 权限边界,使安全团队能够安全地委托开发者创建角色,同时强制执行最大权限限制。

Teams using implementing-aws-iam-permission-boundaries should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/implementing-aws-iam-permission-boundaries/SKILL.md --create-dirs "https://raw.githubusercontent.com/killvxk/cybersecurity-skills-zh/main/skills/implementing-aws-iam-permission-boundaries/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/implementing-aws-iam-permission-boundaries/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How implementing-aws-iam-permission-boundaries Compares

Feature / Agentimplementing-aws-iam-permission-boundariesStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

在 AWS 中配置 IAM 权限边界,使安全团队能够安全地委托开发者创建角色,同时强制执行最大权限限制。

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# 实施 AWS IAM 权限边界

## 概述

IAM 权限边界(Permission Boundaries)是 AWS 的高级功能,用于设置基于身份的策略可以向 IAM 实体(用户或角色)授予的最大权限。它们使集中式安全团队能够安全地将 IAM 角色和策略创建委托给应用开发者,而不会有权限提升的风险。实体的有效权限是其基于身份的策略与权限边界的交集——即使身份策略授予了 `AdministratorAccess`,权限边界也会将其限制为仅允许的操作。

## 前置条件

- 具有 IAM 管理员访问权限的 AWS 账户
- 了解 AWS IAM 策略语言(JSON)
- 配置了适当凭据的 AWS CLI v2
- 用于基础设施即代码部署的 Terraform 或 CloudFormation

## 核心概念

### 权限边界的工作原理

```
基于身份的策略              权限边界
(角色能做什么)      ∩    (角色可以做什么)
        │                              │
        └──────────┬───────────────────┘
                   │
          有效权限
    (仅两个策略都允许的操作)
```

### 策略评估逻辑

AWS 按以下顺序评估权限:
1. **显式拒绝** — 在任何策略中始终优先
2. **Organizations SCP** — 设置组织范围的最大权限
3. **权限边界** — 设置实体级别的最大权限
4. **基于身份的策略** — 授予实际权限
5. **基于资源的策略** — 跨账户访问(单独评估)

实体只有在所有适用的策略类型都允许时才能执行操作。

### 主要使用场景

| 使用场景 | 描述 |
|----------|-------------|
| 开发者委托 | 允许开发者创建 IAM 角色,但不能超出其边界范围 |
| 沙箱隔离 | 限制沙箱/开发账户中角色的操作范围 |
| 多租户工作负载 | 确保特定于租户的角色无法访问其他租户的资源 |
| CI/CD 流水线角色 | 将自动化角色限制在特定服务 |

## 实施步骤

### 步骤 1:定义权限边界策略

创建一个定义最大允许权限的托管策略:

```json
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowedServices",
            "Effect": "Allow",
            "Action": [
                "s3:*",
                "dynamodb:*",
                "lambda:*",
                "logs:*",
                "cloudwatch:*",
                "sqs:*",
                "sns:*",
                "events:*",
                "states:*",
                "xray:*",
                "ec2:Describe*",
                "ec2:CreateTags",
                "sts:AssumeRole",
                "kms:Decrypt",
                "kms:GenerateDataKey",
                "kms:DescribeKey",
                "secretsmanager:GetSecretValue"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowIAMPassRole",
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "arn:aws:iam::*:role/app-*",
            "Condition": {
                "StringEquals": {
                    "iam:PassedToService": [
                        "lambda.amazonaws.com",
                        "states.amazonaws.com"
                    ]
                }
            }
        },
        {
            "Sid": "DenyBoundaryDeletion",
            "Effect": "Deny",
            "Action": [
                "iam:DeletePolicy",
                "iam:DeletePolicyVersion",
                "iam:CreatePolicyVersion"
            ],
            "Resource": "arn:aws:iam::*:policy/DeveloperBoundary"
        },
        {
            "Sid": "DenyBoundaryRemoval",
            "Effect": "Deny",
            "Action": [
                "iam:DeleteUserPermissionsBoundary",
                "iam:DeleteRolePermissionsBoundary"
            ],
            "Resource": "*"
        }
    ]
}
```

### 步骤 2:创建开发者委托策略

授予开发者创建 IAM 角色的能力,但必须附加边界:

```json
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowCreateRoleWithBoundary",
            "Effect": "Allow",
            "Action": [
                "iam:CreateRole",
                "iam:AttachRolePolicy",
                "iam:DetachRolePolicy",
                "iam:PutRolePolicy",
                "iam:DeleteRolePolicy"
            ],
            "Resource": "arn:aws:iam::*:role/app-*",
            "Condition": {
                "StringEquals": {
                    "iam:PermissionsBoundary": "arn:aws:iam::*:policy/DeveloperBoundary"
                }
            }
        },
        {
            "Sid": "AllowCreatePolicyScoped",
            "Effect": "Allow",
            "Action": [
                "iam:CreatePolicy",
                "iam:DeletePolicy",
                "iam:CreatePolicyVersion",
                "iam:DeletePolicyVersion"
            ],
            "Resource": "arn:aws:iam::*:policy/app-*"
        },
        {
            "Sid": "AllowViewIAM",
            "Effect": "Allow",
            "Action": [
                "iam:Get*",
                "iam:List*"
            ],
            "Resource": "*"
        }
    ]
}
```

### 步骤 3:附加边界

```bash
# 创建边界策略
aws iam create-policy \
    --policy-name DeveloperBoundary \
    --policy-document file://developer-boundary.json

# 将边界附加到现有角色
aws iam put-role-permissions-boundary \
    --role-name developer-role \
    --permissions-boundary arn:aws:iam::123456789012:policy/DeveloperBoundary

# 创建带边界的新角色
aws iam create-role \
    --role-name app-lambda-executor \
    --assume-role-policy-document file://trust-policy.json \
    --permissions-boundary arn:aws:iam::123456789012:policy/DeveloperBoundary
```

### 步骤 4:防止权限提升

边界必须包含拒绝语句,防止开发者:
- 从自己的角色中移除边界
- 修改边界策略本身
- 创建未附加边界的角色
- 访问 IAM 服务进行权限提升

### 步骤 5:使用 Terraform 部署

```hcl
resource "aws_iam_policy" "developer_boundary" {
  name   = "DeveloperBoundary"
  path   = "/"
  policy = file("${path.module}/policies/developer-boundary.json")
}

resource "aws_iam_role" "app_role" {
  name                 = "app-lambda-executor"
  assume_role_policy   = data.aws_iam_policy_document.lambda_trust.json
  permissions_boundary = aws_iam_policy.developer_boundary.arn
}
```

## 验证清单

- [ ] 权限边界策略已创建并经安全团队审查
- [ ] 边界包含防止自我修改的拒绝语句
- [ ] 开发者委托策略要求所有新角色附加边界
- [ ] 强制执行角色命名约定(如 `app-*` 前缀)
- [ ] 开发者测试了有/无边界时的角色创建(无边界时应失败)
- [ ] 已测试并阻止权限提升路径
- [ ] 已为 IAM API 调用启用 CloudTrail 日志
- [ ] 边界策略已在源代码控制中进行版本管理
- [ ] 自动化测试验证边界有效性
- [ ] 已向开发团队提供文档

## 参考资料

- [AWS IAM 权限边界文档](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html)
- [何时何处使用权限边界 - AWS 安全博客](https://aws.amazon.com/blogs/security/when-and-where-to-use-iam-permissions-boundaries/)
- [AWS 权限边界示例 - GitHub](https://github.com/aws-samples/example-permissions-boundary)
- [AWS 规范指南 - 创建权限边界](https://docs.aws.amazon.com/prescriptive-guidance/latest/transitioning-to-multiple-aws-accounts/creating-a-permissions-boundary.html)

Related Skills

securing-aws-iam-permissions

9
from killvxk/cybersecurity-skills-zh

本技能引导从业者加固 AWS 身份和访问管理(Identity and Access Management)配置,在云账户中强制执行最小权限(Least Privilege)访问。涵盖 IAM 策略范围界定、权限边界(Permission Boundary)、Access Analyzer 集成和凭据轮换策略,以降低受损身份的影响范围。

implementing-zero-trust-with-hashicorp-boundary

9
from killvxk/cybersecurity-skills-zh

使用 HashiCorp Boundary 实现具备动态凭据代理、会话录制和 Vault 集成的身份感知零信任基础设施访问管理。

implementing-zero-trust-with-beyondcorp

9
from killvxk/cybersecurity-skills-zh

使用身份感知代理(IAP,Identity-Aware Proxy)、上下文感知访问策略、设备信任验证和 Access Context Manager,部署 Google BeyondCorp Enterprise 零信任访问控制,对 GCP 资源和内部应用强制执行基于身份和安全态势的访问。

implementing-zero-trust-network-access

9
from killvxk/cybersecurity-skills-zh

通过配置身份感知代理、微分段、基于条件访问策略的持续验证,以及在 AWS、Azure 和 GCP 环境中以 BeyondCorp 风格的架构替代传统 VPN 访问,在云环境中实施零信任网络访问(ZTNA)。

implementing-zero-trust-network-access-with-zscaler

9
from killvxk/cybersecurity-skills-zh

使用 Zscaler 实施零信任网络访问(Zero Trust Network Access,ZTNA),通过 Zscaler Private Access(ZPA)配置应用分段、访问策略和连接器,替代传统 VPN 架构

implementing-zero-trust-in-cloud

9
from killvxk/cybersecurity-skills-zh

本技能指导组织按照 NIST SP 800-207 和 Google BeyondCorp 原则在云环境中实施零信任(Zero Trust)架构,涵盖以身份为中心的访问控制、微分段(Micro-Segmentation)、持续验证、设备信任评估,以及部署身份感知代理(Identity-Aware Proxy)以消除 AWS、Azure 和 GCP 环境中的隐式网络信任。

implementing-zero-trust-for-saas-applications

9
from killvxk/cybersecurity-skills-zh

使用 CASB、SSPM、条件访问策略、OAuth 应用治理和会话控制,为 SaaS 应用实施零信任访问控制, 对云托管服务强制执行身份验证、设备合规性检查和数据保护。

implementing-zero-trust-dns-with-nextdns

9
from killvxk/cybersecurity-skills-zh

将 NextDNS 实施为零信任 DNS 过滤层,提供加密解析、威胁情报阻断、隐私保护,以及跨所有端点的组织策略执行。

implementing-zero-standing-privilege-with-cyberark

9
from killvxk/cybersecurity-skills-zh

部署 CyberArk Secure Cloud Access,通过基于时间、权限和审批控制的即时访问,在混合云和多云环境中消除常设权限。

implementing-zero-knowledge-proof-for-authentication

9
from killvxk/cybersecurity-skills-zh

零知识证明(ZKP)允许证明者在不泄露秘密本身的情况下证明对某个秘密(如密码或私钥)的了解。本技能实现 Schnorr 身份识别协议和使用离散对数问题的简化 ZKPP,使服务器永远不需要获取用户密码即可完成认证。

implementing-web-application-logging-with-modsecurity

9
from killvxk/cybersecurity-skills-zh

配置带有 OWASP 核心规则集(CRS)的 ModSecurity WAF,实现 Web 应用程序日志记录, 调整规则以减少误报,分析审计日志进行攻击检测,并为应用程序特定威胁实现自定义 SecRules。 分析师配置 SecRuleEngine、SecAuditEngine 和 CRS 偏执级别,以在安全覆盖范围和运营稳定性之间取得平衡。 适用于涉及 WAF 配置、ModSecurity 规则调整、Web 应用审计日志或 CRS 部署的场景。

implementing-vulnerability-sla-breach-alerting

9
from killvxk/cybersecurity-skills-zh

为漏洞修复 SLA 违规构建自动化告警,包含基于严重程度的时间线、升级工作流和合规性报告仪表板。