ある日、突然、AWSで操作が禁止されるようになり、確認したら「AWSCompromisedKeyQuarantine(V2がつくものもある)」という、いろいろな操作を邪魔するポリシーが当てがわれていたってことはないですか?
あまり検索に引っかからず、間違った対応されている記事もあったので、こちらで案内しておきたいと思います。
これらのポリシーは、何か危険な挙動があった際に、AWS側で悪用を抑止するために付けてくれたものです。
色々な操作が抑止されちゃってますが、決して外しちゃダメです!
そのIAMは危険なので、使わないようにしましょう。
おそらく、Abuseメールが届いていると思います。参考まで〜
ポリシー内容(2022/6/10現在)
Policy ARN
arn:aws:iam::aws:policy/AWSCompromisedKeyQuarantine
arn:aws:iam::aws:policy/AWSCompromisedKeyQuarantineV2
Description
Denies access to certain actions, applied by the AWS team in the event that an IAM user's credentials have been compromised or exposed publicly. Do NOT remove this policy. Instead, please follow the instructions specified in the support case created for you regarding this event.
AWSCompromisedKeyQuarantineのポリシー内容
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"iam:AttachGroupPolicy",
"iam:AttachRolePolicy",
"iam:AttachUserPolicy",
"iam:ChangePassword",
"iam:CreateAccessKey",
"iam:CreateInstanceProfile",
"iam:CreateLoginProfile",
"iam:CreateRole",
"iam:CreateUser",
"iam:DetachUserPolicy",
"iam:PutUserPermissionsBoundary",
"iam:PutUserPolicy",
"iam:UpdateAccessKey",
"iam:UpdateAccountPasswordPolicy",
"iam:UpdateUser",
"ec2:RequestSpotInstances",
"ec2:RunInstances",
"ec2:StartInstances",
"organizations:CreateAccount",
"organizations:CreateOrganization",
"organizations:InviteAccountToOrganization",
"lambda:CreateFunction",
"lightsail:Create*",
"lightsail:Start*",
"lightsail:Delete*",
"lightsail:Update*",
"lightsail:GetInstanceAccessDetails",
"lightsail:DownloadDefaultKeyPair"
],
"Resource": [
"*"
]
}
]
}
AWSCompromisedKeyQuarantineV2のポリシー内容
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"ec2:RequestSpotInstances",
"ec2:RunInstances",
"ec2:StartInstances",
"iam:AddUserToGroup",
"iam:AttachGroupPolicy",
"iam:AttachRolePolicy",
"iam:AttachUserPolicy",
"iam:ChangePassword",
"iam:CreateAccessKey",
"iam:CreateInstanceProfile",
"iam:CreateLoginProfile",
"iam:CreatePolicyVersion",
"iam:CreateRole",
"iam:CreateUser",
"iam:DetachUserPolicy",
"iam:PassRole",
"iam:PutGroupPolicy",
"iam:PutRolePolicy",
"iam:PutUserPermissionsBoundary",
"iam:PutUserPolicy",
"iam:SetDefaultPolicyVersion",
"iam:UpdateAccessKey",
"iam:UpdateAccountPasswordPolicy",
"iam:UpdateAssumeRolePolicy",
"iam:UpdateLoginProfile",
"iam:UpdateUser",
"lambda:AddLayerVersionPermission",
"lambda:AddPermission",
"lambda:CreateFunction",
"lambda:GetPolicy",
"lambda:ListTags",
"lambda:PutProvisionedConcurrencyConfig",
"lambda:TagResource",
"lambda:UntagResource",
"lambda:UpdateFunctionCode",
"lightsail:Create*",
"lightsail:Delete*",
"lightsail:DownloadDefaultKeyPair",
"lightsail:GetInstanceAccessDetails",
"lightsail:Start*",
"lightsail:Update*",
"organizations:CreateAccount",
"organizations:CreateOrganization",
"organizations:InviteAccountToOrganization",
"s3:DeleteBucket",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:PutLifecycleConfiguration",
"s3:PutBucketAcl",
"s3:PutBucketOwnershipControls",
"s3:DeleteBucketPolicy",
"s3:ObjectOwnerOverrideToBucketOwner",
"s3:PutAccountPublicAccessBlock",
"s3:PutBucketPolicy",
"s3:ListAllMyBuckets"
],
"Resource": [
"*"
]
}
]
}