我想要创建一个 IAM 策略,允许用户按如下方式部署实例:
- 他们只能使用 1 个 AMI
- 它们只能部署到 1 个特定的 VPC 子网
- 他们只能使用 1 个特定的 VPC 安全组
此处的 VPC 文档讨论了此场景(示例 4):
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_IAM.html#subnet-sg-example-iam
我已经尝试过自己的版本政策如下:
{
"Version": "2012-10-17",
"Statement":[{
"Effect":"Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:eu-west-1:937821706121:image/ami-141ac363",
"arn:aws:ec2:eu-west-1:937821706121:subnet/subnet-733de516",
"arn:aws:ec2:eu-west-1:937821706121:network-interface/*",
"arn:aws:ec2:eu-west-1:937821706121:volume/*",
"arn:aws:ec2:eu-west-1:937821706121:key-pair/*",
"arn:aws:ec2:eu-west-1:937821706121:security-group/sg-4aa80f2f"
]
}]
}
不起作用。当我尝试以适用此策略的组成员身份部署实例时,权限被拒绝。我是否需要包含其他策略以允许以这种方式部署实例?
答案1
基本上,除了设置全局管理或只读策略之外,IAM 文档在执行任何其他操作时都是完全不可靠的。
这是我最终制定的政策(至少对于子网位而言):
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:eu-west-1:937821706121:network-interface/*"
],
"Condition": {
"ArnNotEquals": {
"ec2:Subnet": "arn:aws:ec2:eu-west-1:937821706121:subnet/subnet-733de516"
}
}
},
{
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:eu-west-1::image/ami-*",
"arn:aws:ec2:eu-west-1:937821706121:network-interface/*",
"arn:aws:ec2:eu-west-1:937821706121:instance/*",
"arn:aws:ec2:eu-west-1:937821706121:subnet/*",
"arn:aws:ec2:eu-west-1:937821706121:volume/*",
"arn:aws:ec2:eu-west-1:937821706121:key-pair/*",
"arn:aws:ec2:eu-west-1:937821706121:security-group/*"
]
}
]
}
这需要经过多次反复尝试。
基本上,当您想要根据特定资源限制用户时,您需要创建一个声明,首先拒绝运行实例的能力,除非满足特定 arn 资源的条件,然后在最后允许他们做任何事情。
更新:
亚马逊已承认他们的文件不准确:
https://forums.aws.amazon.com/thread.jspa?threadID=160287&tstart=0
答案2
实际上,您无法基于 VPC 执行此操作。AWS 不支持对资源级别权限执行 EC2-Describe* API 操作。相反,您可以基于安全组上的单个 VPC 应用类似操作,如下所示:
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"ec2:AcceptVpcPeeringConnection",
"ec2:AllocateAddress",
"ec2:AssignPrivateIpAddresses",
"ec2:AssociateAddress",
"ec2:AssociateDhcpOptions",
"ec2:AssociateRouteTable",
"ec2:AttachClassicLinkVpc",
"ec2:AttachInternetGateway",
"ec2:AttachNetworkInterface",
"ec2:AttachVolume",
"ec2:AttachVpnGateway",
"ec2:BundleInstance",
"ec2:ConfirmProductInstance",
"ec2:CopyImage",
"ec2:CopySnapshot",
"ec2:CreateCustomerGateway",
"ec2:CreateDhcpOptions",
"ec2:CreateFlowLogs",
"ec2:CreateImage",
"ec2:CreateInstanceExportTask",
"ec2:CreateInternetGateway",
"ec2:CreateKeyPair",
"ec2:CreateNatGateway",
"ec2:CreateNetworkAcl",
"ec2:CreateNetworkAclEntry",
"ec2:CreateNetworkInterface",
"ec2:CreatePlacementGroup",
"ec2:CreateReservedInstancesListing",
"ec2:CreateRoute",
"ec2:CreateRouteTable",
"ec2:CreateSnapshot",
"ec2:CreateSpotDatafeedSubscription",
"ec2:CreateSubnet",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:CreateVpc",
"ec2:CreateVpcEndpoint",
"ec2:CreateVpcPeeringConnection",
"ec2:CreateVpnConnection",
"ec2:CreateVpnConnectionRoute",
"ec2:CreateVpnGateway",
"ec2:DeleteCustomerGateway",
"ec2:DeleteDhcpOptions",
"ec2:DeleteFlowLogs",
"ec2:DeleteInternetGateway",
"ec2:DeleteKeyPair",
"ec2:DeleteNatGateway",
"ec2:DeleteNetworkAcl",
"ec2:DeleteNetworkAclEntry",
"ec2:DeleteNetworkInterface",
"ec2:DeletePlacementGroup",
"ec2:DeleteRoute",
"ec2:DeleteRouteTable",
"ec2:DeleteSnapshot",
"ec2:DeleteSpotDatafeedSubscription",
"ec2:DeleteSubnet",
"ec2:DeleteTags",
"ec2:DeleteVolume",
"ec2:DeleteVpc",
"ec2:DeleteVpcEndpoints",
"ec2:DeleteVpcPeeringConnection",
"ec2:DeleteVpnConnection",
"ec2:DeleteVpnConnectionRoute",
"ec2:DeleteVpnGateway",
"ec2:DeregisterImage",
"ec2:DescribeAccountAttributes",
"ec2:DescribeAddresses",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeBundleTasks",
"ec2:DescribeClassicLinkInstances",
"ec2:DescribeConversionTasks",
"ec2:DescribeCustomerGateways",
"ec2:DescribeDhcpOptions",
"ec2:DescribeExportTasks",
"ec2:DescribeFlowLogs",
"ec2:DescribeHosts",
"ec2:DescribeImageAttribute",
"ec2:DescribeImages",
"ec2:DescribeImportImageTasks",
"ec2:DescribeImportSnapshotTasks",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:DescribeInternetGateways",
"ec2:DescribeKeyPairs",
"ec2:DescribeMovingAddresses",
"ec2:DescribeNatGateways",
"ec2:DescribeNetworkAcls",
"ec2:DescribeNetworkInterfaceAttribute",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribePlacementGroups",
"ec2:DescribePrefixLists",
"ec2:DescribeRegions",
"ec2:DescribeReservedInstances",
"ec2:DescribeReservedInstancesListings",
"ec2:DescribeReservedInstancesModifications",
"ec2:DescribeReservedInstancesOfferings",
"ec2:DescribeRouteTables",
"ec2:DescribeSnapshotAttribute",
"ec2:DescribeSnapshots",
"ec2:DescribeSpotDatafeedSubscription",
"ec2:DescribeSpotFleetInstances",
"ec2:DescribeSpotFleetInstances",
"ec2:DescribeSpotFleetRequestHistory",
"ec2:DescribeSpotFleetRequestHistory",
"ec2:DescribeSpotFleetRequests",
"ec2:DescribeSpotFleetRequests",
"ec2:DescribeSpotInstanceRequests",
"ec2:DescribeSpotPriceHistory",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:DescribeVolumeAttribute",
"ec2:DescribeVolumes",
"ec2:DescribeVolumeStatus",
"ec2:DescribeVpcAttribute",
"ec2:DescribeVpcClassicLink",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeVpcEndpointServices",
"ec2:DescribeVpcPeeringConnections",
"ec2:DescribeVpcs",
"ec2:DescribeVpnConnections",
"ec2:DescribeVpnGateways",
"ec2:DetachClassicLinkVpc",
"ec2:DetachInternetGateway",
"ec2:DetachNetworkInterface",
"ec2:DetachVolume",
"ec2:DetachVpnGateway",
"ec2:DisableVgwRoutePropagation",
"ec2:DisableVpcClassicLink",
"ec2:DisassociateAddress",
"ec2:DisassociateRouteTable",
"ec2:EnableVgwRoutePropagation",
"ec2:EnableVolumeIO",
"ec2:EnableVpcClassicLink",
"ec2:GetConsoleOutput",
"ec2:GetPasswordData",
"ec2:ImportImage",
"ec2:ImportInstance",
"ec2:ImportKeyPair",
"ec2:ImportSnapshot",
"ec2:ImportVolume",
"ec2:ModifyHosts",
"ec2:ModifyIdFormat",
"ec2:ModifyImageAttribute",
"ec2:ModifyInstanceAttribute",
"ec2:ModifyInstancePlacement",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:ModifyReservedInstances",
"ec2:ModifySnapshotAttribute",
"ec2:ModifySpotFleetRequest",
"ec2:ModifySubnetAttribute",
"ec2:ModifyVolumeAttribute",
"ec2:ModifyVpcAttribute",
"ec2:ModifyVpcEndpoint",
"ec2:ModifyVpcPeeringConnectionOptions",
"ec2:MonitorInstances",
"ec2:MoveAddressToVpc",
"ec2:PurchaseReservedInstancesOffering",
"ec2:RebootInstances",
"ec2:RegisterImage",
"ec2:RejectVpcPeeringConnection",
"ec2:ReleaseAddress",
"ec2:ReportInstanceStatus",
"ec2:RestoreAddressToClassic",
"ec2:RunInstances",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances",
"ec2:UnassignPrivateIpAddresses",
"ec2:UnmonitorInstances",
"s3:",
"elasticloadbalancing:",
"autoscaling:"
],
"Resource":""
},
{
"Effect":"Allow",
"Action":[
"ec2:DescribeSecurityGroups",
"ec2:DescribeTags"
],
"Resource":""
},
{
"Effect":"Allow",
"Action":[
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:RevokeSecurityGroupEgress"
],
"Resource":"arn:aws:ec2:REGION:ACCOUNTNUMBER:security-group/",
"Condition":{
"ArnEquals":{
"ec2:Vpc":"arn:aws:ec2:REGION:ACCOUNTNUMBER:vpc/VPCID"
}
}
}
]
}
您可以根据需要更改 EC2 操作。