用于限制对一个 VPC 的访问的 IAM 策略

用于限制对一个 VPC 的访问的 IAM 策略

我正在尝试将用户限制到单个 VPC。我经历了控制对 Amazon VPC 资源的访问并提出了以下策略,但它不起作用。有人能指出其中的错误吗?

我应该提一下IAM 策略模拟器在模拟设置中的条件键下设置 VPC ARN 后,似乎认为策略没问题。

(我已将我的策略中的区域、账户和 vpc-id 替换为实际值。)


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:*Vpc*",
                "ec2:*Subnet*",
                "ec2:*Gateway*",
                "ec2:*Vpn*",
                "ec2:*Route*",
                "ec2:*Address*",
                "ec2:*SecurityGroup*",
                "ec2:*NetworkAcl*",
                "ec2:*DhcpOptions*",
                "ec2:RunInstances",
                "ec2:StopInstances",
                "ec2:StartInstances",
                "ec2:TerminateInstances",
                "ec2:Describe*"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "ec2:Vpc": "arn:aws:ec2:region:account:vpc/vpc-id"
                }
            }
        }
    ]
}
谢谢。

答案1

你很可能需要重新组合你的IAM 策略类似于示例 5.在特定 VPC 中启动实例之内控制对 Amazon VPC 资源的访问

{
   "Version": "2012-10-17",
   "Statement": [{
      "Effect": "Allow",
      "Action": "ec2:RunInstances",
      "Resource": "arn:aws:ec2:region:account:subnet/*",
        "Condition": {
         "StringEquals": {
            "ec2:Vpc": "arn:aws:ec2:region:account:vpc/vpc-1a2b3c4d"
            }
      }
   },
   ...
   ]
}

也就是说,可用的资源(及其粒度)特定于每个 API 操作,因此对于手头的示例运行实例适用于特定子网中的 EC2 资源,而该子网又是 VPC 的一部分;因此,您需要定位子网,但可以通过其ec2:Vpc属性进一步限制可能的子网集IAM 策略条件如上所述。

答案2

某些权限无法应用于特定资源。当您在 IAM 中检查策略时,这些权限将显示错误。

为了将用户限制到特定的 VPC 并允许所有 EC2 操作,以下策略可以帮助您实现这一点:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "NonResourceBasedReadOnlyPermissions",
        "Action": [
            "ec2:Describe*",
            "ec2:CreateKeyPair",
            "ec2:CreateSecurityGroup",
            "iam:GetInstanceProfiles",
            "iam:ListInstanceProfiles"
        ],
        "Effect": "Allow",
        "Resource": "*"
    },
    {
        "Sid": "IAMPassroleToInstance",
        "Action": [
            "iam:PassRole"
        ],
        "Effect": "Allow",
        "Resource": "arn:aws:iam::123456789012:role/VPCLockDown"
    },
    {
        "Sid": "AllowInstanceActions",
        "Effect": "Allow",
        "Action": [
            "ec2:RebootInstances",
            "ec2:StopInstances",
            "ec2:TerminateInstances",
            "ec2:StartInstances",
            "ec2:AttachVolume",
            "ec2:DetachVolume"
        ],
        "Resource": "arn:aws:ec2:us-east-1:123456789012:instance/*",
        "Condition": {
            "StringEquals": {
                "ec2:InstanceProfile": "arn:aws:iam::123456789012:instance-profile/VPCLockDown"
            }
        }
    },
    {
        "Sid": "EC2RunInstances",
        "Effect": "Allow",
        "Action": "ec2:RunInstances",
        "Resource": "arn:aws:ec2:us-east-1:123456789012:instance/*",
        "Condition": {
            "StringEquals": {
                "ec2:InstanceProfile": "arn:aws:iam::123456789012:instance-profile/VPCLockDown"
            }
        }
    },
    {
        "Sid": "EC2RunInstancesSubnet",
        "Effect": "Allow",
        "Action": "ec2:RunInstances",
        "Resource": "arn:aws:ec2:us-east-1:123456789012:subnet/*",
        "Condition": {
            "StringEquals": {
                "ec2:vpc": "arn:aws:ec2:us-east-1:123456789012:vpc/vpc-7bcd371e"
            }
        }
    },
    {
        "Sid": "RemainingRunInstancePermissions",
        "Effect": "Allow",
        "Action": "ec2:RunInstances",
        "Resource": [
            "arn:aws:ec2:us-east-1:123456789012:volume/*",
            "arn:aws:ec2:us-east-1::image/*",
            "arn:aws:ec2:us-east-1::snapshot/*",
            "arn:aws:ec2:us-east-1:123456789012:network-interface/*",
            "arn:aws:ec2:us-east-1:123456789012:key-pair/*",
            "arn:aws:ec2:us-east-1:123456789012:security-group/*"
        ]
    },
    {
        "Sid": "EC2VpcNonresourceSpecificActions",
        "Effect": "Allow",
        "Action": [
            "ec2:DeleteNetworkAcl",
            "ec2:DeleteNetworkAclEntry",
            "ec2:DeleteRoute",
            "ec2:DeleteRouteTable",
            "ec2:AuthorizeSecurityGroupEgress",
            "ec2:AuthorizeSecurityGroupIngress",
            "ec2:RevokeSecurityGroupEgress",
            "ec2:RevokeSecurityGroupIngress",
            "ec2:DeleteSecurityGroup"
        ],
        "Resource": "*",
        "Condition": {
            "StringEquals": {
                "ec2:vpc": "arn:aws:ec2:us-east-1:123456789012:vpc/vpc-7bcd371e"
            }
        }
    }
]
}

为了详细了解每个语句的作用,我建议阅读这个博客来自 AWS。此策略允许用户:

  • 登录 AWS 管理控制台并转到 Amazon EC2 控制台。
  • 只要满足以下条件,即可启动 EC2 实例:

    在适当的 VPC 中指定子网。指定允许的实例配置文件。

  • 在实例上启动/停止/重新启动/终止/附加卷/分离卷,只要它们:

    指定使用适当的实例配置文件启动的实例。

  • 删除安全组、路由、路由表、网络 ACL 和 ACL 条目以及授权和撤销安全组入口和出口规则,只要它们位于正确的 VPC 中。

答案3

另一个可能的解决方案是将单个 VPC 限制到特定子网。
以下策略允许在控制台中列出所有 EC2 实例以及对特定子网中的 EC2 实例执行任何操作。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:Describe*",
                "ec2:GetConsole*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "ec2:*",
            "Resource": [
                "arn:aws:ec2:*:*:subnet/subnet-{YOUR_SUBNET_ID_1}",
                "arn:aws:ec2:*:*:subnet/subnet-{YOUR_SUBNET_ID_2}",
                "arn:aws:ec2:*:*:subnet/subnet-{YOUR_SUBNET_ID_N}",
                "arn:aws:ec2:*:*:network-interface/*",
                "arn:aws:ec2:*:*:instance/*",
                "arn:aws:ec2:*:*:volume/*",
                "arn:aws:ec2:*::image/ami-*",
                "arn:aws:ec2:*:*:key-pair/*",
                "arn:aws:ec2:*:*:security-group/*"
            ]
        }
    ]
}

基于此资源: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_ec2_instances-subnet.html

答案4

实际上,您无法基于 VPC 执行此操作。AWS 不支持对资源级别权限执行 EC2-Describe* API 操作。相反,您可以基于安全组上的单个 VPC 应用类似操作,如下所示:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:AcceptVpcPeeringConnection",
                "ec2:AllocateAddress",
                "ec2:AssignPrivateIpAddresses",
                "ec2:AssociateAddress",
                "ec2:AssociateDhcpOptions",
                "ec2:AssociateRouteTable",
                "ec2:AttachClassicLinkVpc",
                "ec2:AttachInternetGateway",
                "ec2:AttachNetworkInterface",
                "ec2:AttachVolume",
                "ec2:AttachVpnGateway",
                "ec2:BundleInstance",
                "ec2:ConfirmProductInstance",
                "ec2:CopyImage",
                "ec2:CopySnapshot",
                "ec2:CreateCustomerGateway",
                "ec2:CreateDhcpOptions",
                "ec2:CreateFlowLogs",
                "ec2:CreateImage",
                "ec2:CreateInstanceExportTask",
                "ec2:CreateInternetGateway",
                "ec2:CreateKeyPair",
                "ec2:CreateNatGateway",
                "ec2:CreateNetworkAcl",
                "ec2:CreateNetworkAclEntry",
                "ec2:CreateNetworkInterface",
                "ec2:CreatePlacementGroup",
                "ec2:CreateReservedInstancesListing",
                "ec2:CreateRoute",
                "ec2:CreateRouteTable",
                "ec2:CreateSnapshot",
                "ec2:CreateSpotDatafeedSubscription",
                "ec2:CreateSubnet",
                "ec2:CreateTags",
                "ec2:CreateVolume",
                "ec2:CreateVpc",
                "ec2:CreateVpcEndpoint",
                "ec2:CreateVpcPeeringConnection",
                "ec2:CreateVpnConnection",
                "ec2:CreateVpnConnectionRoute",
                "ec2:CreateVpnGateway",
                "ec2:DeleteCustomerGateway",
                "ec2:DeleteDhcpOptions",
                "ec2:DeleteFlowLogs",
                "ec2:DeleteInternetGateway",
                "ec2:DeleteKeyPair",
                "ec2:DeleteNatGateway",
                "ec2:DeleteNetworkAcl",
                "ec2:DeleteNetworkAclEntry",
                "ec2:DeleteNetworkInterface",
                "ec2:DeletePlacementGroup",
                "ec2:DeleteRoute",
                "ec2:DeleteRouteTable",
                "ec2:DeleteSnapshot",
                "ec2:DeleteSpotDatafeedSubscription",
                "ec2:DeleteSubnet",
                "ec2:DeleteTags",
                "ec2:DeleteVolume",
                "ec2:DeleteVpc",
                "ec2:DeleteVpcEndpoints",
                "ec2:DeleteVpcPeeringConnection",
                "ec2:DeleteVpnConnection",
                "ec2:DeleteVpnConnectionRoute",
                "ec2:DeleteVpnGateway",
                "ec2:DeregisterImage",
                "ec2:DescribeAccountAttributes",
                "ec2:DescribeAddresses",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeBundleTasks",
                "ec2:DescribeClassicLinkInstances",
                "ec2:DescribeConversionTasks",
                "ec2:DescribeCustomerGateways",
                "ec2:DescribeDhcpOptions",
                "ec2:DescribeExportTasks",
                "ec2:DescribeFlowLogs",
                "ec2:DescribeHosts",
                "ec2:DescribeImageAttribute",
                "ec2:DescribeImages",
                "ec2:DescribeImportImageTasks",
                "ec2:DescribeImportSnapshotTasks",
                "ec2:DescribeInstanceAttribute",
                "ec2:DescribeInstances",
                "ec2:DescribeInstanceStatus",
                "ec2:DescribeInternetGateways",
                "ec2:DescribeKeyPairs",
                "ec2:DescribeMovingAddresses",
                "ec2:DescribeNatGateways",
                "ec2:DescribeNetworkAcls",
                "ec2:DescribeNetworkInterfaceAttribute",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribePlacementGroups",
                "ec2:DescribePrefixLists",
                "ec2:DescribeRegions",
                "ec2:DescribeReservedInstances",
                "ec2:DescribeReservedInstancesListings",
                "ec2:DescribeReservedInstancesModifications",
                "ec2:DescribeReservedInstancesOfferings",
                "ec2:DescribeRouteTables",
                "ec2:DescribeSnapshotAttribute",
                "ec2:DescribeSnapshots",
                "ec2:DescribeSpotDatafeedSubscription",
                "ec2:DescribeSpotFleetInstances",
                "ec2:DescribeSpotFleetInstances",
                "ec2:DescribeSpotFleetRequestHistory",
                "ec2:DescribeSpotFleetRequestHistory",
                "ec2:DescribeSpotFleetRequests",
                "ec2:DescribeSpotFleetRequests",
                "ec2:DescribeSpotInstanceRequests",
                "ec2:DescribeSpotPriceHistory",
                "ec2:DescribeSubnets",
                "ec2:DescribeTags",
                "ec2:DescribeVolumeAttribute",
                "ec2:DescribeVolumes",
                "ec2:DescribeVolumeStatus",
                "ec2:DescribeVpcAttribute",
                "ec2:DescribeVpcClassicLink",
                "ec2:DescribeVpcEndpoints",
                "ec2:DescribeVpcEndpointServices",
                "ec2:DescribeVpcPeeringConnections",
                "ec2:DescribeVpcs",
                "ec2:DescribeVpnConnections",
                "ec2:DescribeVpnGateways",
                "ec2:DetachClassicLinkVpc",
                "ec2:DetachInternetGateway",
                "ec2:DetachNetworkInterface",
                "ec2:DetachVolume",
                "ec2:DetachVpnGateway",
                "ec2:DisableVgwRoutePropagation",
                "ec2:DisableVpcClassicLink",
                "ec2:DisassociateAddress",
                "ec2:DisassociateRouteTable",
                "ec2:EnableVgwRoutePropagation",
                "ec2:EnableVolumeIO",
                "ec2:EnableVpcClassicLink",
                "ec2:GetConsoleOutput",
                "ec2:GetPasswordData",
                "ec2:ImportImage",
                "ec2:ImportInstance",
                "ec2:ImportKeyPair",
                "ec2:ImportSnapshot",
                "ec2:ImportVolume",
                "ec2:ModifyHosts",
                "ec2:ModifyIdFormat",
                "ec2:ModifyImageAttribute",
                "ec2:ModifyInstanceAttribute",
                "ec2:ModifyInstancePlacement",
                "ec2:ModifyNetworkInterfaceAttribute",
                "ec2:ModifyReservedInstances",
                "ec2:ModifySnapshotAttribute",
                "ec2:ModifySpotFleetRequest",
                "ec2:ModifySubnetAttribute",
                "ec2:ModifyVolumeAttribute",
                "ec2:ModifyVpcAttribute",
                "ec2:ModifyVpcEndpoint",
                "ec2:ModifyVpcPeeringConnectionOptions",
                "ec2:MonitorInstances",
                "ec2:MoveAddressToVpc",
                "ec2:PurchaseReservedInstancesOffering",
                "ec2:RebootInstances",
                "ec2:RegisterImage",
                "ec2:RejectVpcPeeringConnection",
                "ec2:ReleaseAddress",
                "ec2:ReportInstanceStatus",
                "ec2:RestoreAddressToClassic",
                "ec2:RunInstances",
                "ec2:StartInstances",
                "ec2:StopInstances",
                "ec2:TerminateInstances",
                "ec2:UnassignPrivateIpAddresses",
                "ec2:UnmonitorInstances",
                "s3:*",
                "elasticloadbalancing:*",
                "autoscaling:*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeTags"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:RevokeSecurityGroupIngress",
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:RevokeSecurityGroupEgress"
            ],
            "Resource": "arn:aws:ec2:REGION:ACCOUNTNUMBER:security-group/*",
            "Condition": {
                "ArnEquals": {
                    "ec2:Vpc": "arn:aws:ec2:REGION:ACCOUNTNUMBER:vpc/VPCID"
                }
            }
        }
    ]
}

您可以根据需要更改 EC2 操作。

相关内容