服务器 Gind.cn
  1. 服务器 Gind.cn
  3. 适用于单个VPC子网的Amazon AWS IAM策略
Intereting Posts
如何处理频繁和不断的PHP / MySQL版本更新 Mac OS X打印到CUPS – 更直观的身份validation失败? Apache httpd条件redirect基于响应头 Symantec Ghost部署在任何位置 – 缺less驱动程序 附加到屏幕会话显示我一个空的控制台 使用w32tm重新同步域中的所有计算机 阻止与SBS2003的2客户端计算机的互联网访问? 通过SSH使用Unison / rsync来同步需要完整文件系统访问的站点,但是禁用了rootlogin NGINX:保持活动请求静态内容好 – 保持活动请求到php-fpm请求挂起,直到keepalive_timeout达成 列出的设备数与multipath -ll 重新启动后无法识别HP Smart Array P800上的逻辑驱动器 tshark数据包捕获性能CentOS 6 v CentOS 7 通过socat将linuxterminal从串口转发到TCP 如何在CentOS中创build一个自定义的ISO映像 虚拟主机的替代HOSTS文件?

适用于单个VPC子网的Amazon AWS IAM策略

我想创build一个允许用户部署实例的IAM策略,如下所示:

  1. 他们只能使用1 AMI
  2. 他们只能部署到1个特定的VPC子网
  3. 他们只能使用1个特定的VPC安全组

VPC文档(示例4)中解决了这种情况:

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_IAM.html#subnet-sg-example-iam

我尝试了我自己的政策版本, 

{ "Version": "2012-10-17", "Statement":[{ "Effect":"Allow", "Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:eu-west-1:937821706121:image/ami-141ac363", "arn:aws:ec2:eu-west-1:937821706121:subnet/subnet-733de516", "arn:aws:ec2:eu-west-1:937821706121:network-interface/*", "arn:aws:ec2:eu-west-1:937821706121:volume/*", "arn:aws:ec2:eu-west-1:937821706121:key-pair/*", "arn:aws:ec2:eu-west-1:937821706121:security-group/sg-4aa80f2f" ] }] }

它不起作用。 当我尝试将实例部署为适用此策略的组的成员的用户时,我获得权限被拒绝。 有没有其他的政策,我需要包括这个以这种方式进行实例部署?

基本上,除了设置全局pipe理或只读策略之外,IAM文档是完全不可靠的。

这是我最终得到的政策(至less在子网上): 

 { "Version": "2012-10-17", "Statement": [{ "Effect": "Deny", "Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:eu-west-1:937821706121:network-interface/*" ], "Condition": { "ArnNotEquals": { "ec2:Subnet": "arn:aws:ec2:eu-west-1:937821706121:subnet/subnet-733de516" } } }, { "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:eu-west-1::image/ami-*", "arn:aws:ec2:eu-west-1:937821706121:network-interface/*", "arn:aws:ec2:eu-west-1:937821706121:instance/*", "arn:aws:ec2:eu-west-1:937821706121:subnet/*", "arn:aws:ec2:eu-west-1:937821706121:volume/*", "arn:aws:ec2:eu-west-1:937821706121:key-pair/*", "arn:aws:ec2:eu-west-1:937821706121:security-group/*" ] } ] }

这花了很多的尝试和错误。

基本上,当你想根据特定的资源来限制用户时,你需要创build一个Statement,它首先拒绝运行实例的能力,除非在特定的资源上满足条件,最后允许他们做任何事情。

更新:

亚马逊已经承认他们的文件是不准确的:

https://forums.aws.amazon.com/thread.jspa?threadID=160287&tstart=0

你不能基于VPC做到这一点。 AWS不支持资源级权限的EC2-Describe * API操作。 相反,您可以在安全组上应用基于单个VPC的相似内容,如下所示:

{
"Version":"2012-10-17", "Statement":[
{
"Effect":"Allow", "Action":[
"ec2:AcceptVpcPeeringConnection", "ec2:AllocateAddress", "ec2:AssignPrivateIpAddresses", "ec2:AssociateAddress", "ec2:AssociateDhcpOptions", "ec2:AssociateRouteTable", "ec2:AttachClassicLinkVpc", "ec2:AttachInternetGateway", "ec2:AttachNetworkInterface", "ec2:AttachVolume", "ec2:AttachVpnGateway", "ec2:BundleInstance", "ec2:ConfirmProductInstance", "ec2:CopyImage", "ec2:CopySnapshot", "ec2:CreateCustomerGateway", "ec2:CreateDhcpOptions", "ec2:CreateFlowLogs", "ec2:CreateImage", "ec2:CreateInstanceExportTask", "ec2:CreateInternetGateway", "ec2:CreateKeyPair", "ec2:CreateNatGateway", "ec2:CreateNetworkAcl", "ec2:CreateNetworkAclEntry", "ec2:CreateNetworkInterface", "ec2:CreatePlacementGroup", "ec2:CreateReservedInstancesListing", "ec2:CreateRoute", "ec2:CreateRouteTable", "ec2:CreateSnapshot", "ec2:CreateSpotDatafeedSubscription", "ec2:CreateSubnet", "ec2:CreateTags", "ec2:CreateVolume", "ec2:CreateVpc", "ec2:CreateVpcEndpoint", "ec2:CreateVpcPeeringConnection", "ec2:CreateVpnConnection", "ec2:CreateVpnConnectionRoute", "ec2:CreateVpnGateway", "ec2:DeleteCustomerGateway", "ec2:DeleteDhcpOptions", "ec2:DeleteFlowLogs", "ec2:DeleteInternetGateway", "ec2:DeleteKeyPair", "ec2:DeleteNatGateway", "ec2:DeleteNetworkAcl", "ec2:DeleteNetworkAclEntry", "ec2:DeleteNetworkInterface", "ec2:DeletePlacementGroup", "ec2:DeleteRoute", "ec2:DeleteRouteTable", "ec2:DeleteSnapshot", "ec2:DeleteSpotDatafeedSubscription", "ec2:DeleteSubnet", "ec2:DeleteTags", "ec2:DeleteVolume", "ec2:DeleteVpc", "ec2:DeleteVpcEndpoints", "ec2:DeleteVpcPeeringConnection", "ec2:DeleteVpnConnection", "ec2:DeleteVpnConnectionRoute", "ec2:DeleteVpnGateway", "ec2:DeregisterImage", "ec2:DescribeAccountAttributes", "ec2:DescribeAddresses", "ec2:DescribeAvailabilityZones", "ec2:DescribeBundleTasks", "ec2:DescribeClassicLinkInstances", "ec2:DescribeConversionTasks", "ec2:DescribeCustomerGateways", "ec2:DescribeDhcpOptions", "ec2:DescribeExportTasks", "ec2:DescribeFlowLogs", "ec2:DescribeHosts", "ec2:DescribeImageAttribute", "ec2:DescribeImages", "ec2:DescribeImportImageTasks", "ec2:DescribeImportSnapshotTasks", "ec2:DescribeInstanceAttribute", "ec2:DescribeInstances", "ec2:DescribeInstanceStatus", "ec2:DescribeInternetGateways", "ec2:DescribeKeyPairs", "ec2:DescribeMovingAddresses", "ec2:DescribeNatGateways", "ec2:DescribeNetworkAcls", "ec2:DescribeNetworkInterfaceAttribute", "ec2:DescribeNetworkInterfaces", "ec2:DescribePlacementGroups", "ec2:DescribePrefixLists", "ec2:DescribeRegions", "ec2:DescribeReservedInstances", "ec2:DescribeReservedInstancesListings", "ec2:DescribeReservedInstancesModifications", "ec2:DescribeReservedInstancesOfferings", "ec2:DescribeRouteTables", "ec2:DescribeSnapshotAttribute", "ec2:DescribeSnapshots", "ec2:DescribeSpotDatafeedSubscription", "ec2:DescribeSpotFleetInstances", "ec2:DescribeSpotFleetInstances", "ec2:DescribeSpotFleetRequestHistory", "ec2:DescribeSpotFleetRequestHistory", "ec2:DescribeSpotFleetRequests", "ec2:DescribeSpotFleetRequests", "ec2:DescribeSpotInstanceRequests", "ec2:DescribeSpotPriceHistory", "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVolumeAttribute", "ec2:DescribeVolumes", "ec2:DescribeVolumeStatus", "ec2:DescribeVpcAttribute", "ec2:DescribeVpcClassicLink", "ec2:DescribeVpcEndpoints", "ec2:DescribeVpcEndpointServices", "ec2:DescribeVpcPeeringConnections", "ec2:DescribeVpcs", "ec2:DescribeVpnConnections", "ec2:DescribeVpnGateways", "ec2:DetachClassicLinkVpc", "ec2:DetachInternetGateway", "ec2:DetachNetworkInterface", "ec2:DetachVolume", "ec2:DetachVpnGateway", "ec2:DisableVgwRoutePropagation", "ec2:DisableVpcClassicLink", "ec2:DisassociateAddress", "ec2:DisassociateRouteTable", "ec2:EnableVgwRoutePropagation", "ec2:EnableVolumeIO", "ec2:EnableVpcClassicLink", "ec2:GetConsoleOutput", "ec2:GetPasswordData", "ec2:ImportImage", "ec2:ImportInstance", "ec2:ImportKeyPair", "ec2:ImportSnapshot", "ec2:ImportVolume", "ec2:ModifyHosts", "ec2:ModifyIdFormat", "ec2:ModifyImageAttribute", "ec2:ModifyInstanceAttribute", "ec2:ModifyInstancePlacement", "ec2:ModifyNetworkInterfaceAttribute", "ec2:ModifyReservedInstances", "ec2:ModifySnapshotAttribute", "ec2:ModifySpotFleetRequest", "ec2:ModifySubnetAttribute", "ec2:ModifyVolumeAttribute", "ec2:ModifyVpcAttribute", "ec2:ModifyVpcEndpoint", "ec2:ModifyVpcPeeringConnectionOptions", "ec2:MonitorInstances", "ec2:MoveAddressToVpc", "ec2:PurchaseReservedInstancesOffering", "ec2:RebootInstances", "ec2:RegisterImage", "ec2:RejectVpcPeeringConnection", "ec2:ReleaseAddress", "ec2:ReportInstanceStatus", "ec2:RestoreAddressToClassic", "ec2:RunInstances", "ec2:StartInstances", "ec2:StopInstances", "ec2:TerminateInstances", "ec2:UnassignPrivateIpAddresses", "ec2:UnmonitorInstances", "s3:", "elasticloadbalancing:", "autoscaling:" ], "Resource":"" }, {
"Effect":"Allow", "Action":[
"ec2:DescribeSecurityGroups", "ec2:DescribeTags" ], "Resource":"" }, {
"Effect":"Allow", "Action":[
"ec2:AuthorizeSecurityGroupIngress", "ec2:RevokeSecurityGroupIngress", "ec2:AuthorizeSecurityGroupEgress", "ec2:RevokeSecurityGroupEgress" ], "Resource":"arn:aws:ec2:REGION:ACCOUNTNUMBER:security-group/", "Condition":{
"ArnEquals":{
"ec2:Vpc":"arn:aws:ec2:REGION:ACCOUNTNUMBER:vpc/VPCID" } } } ] }

您可以根据需要更改EC2操作。