Amazon ec2 Amazon EC2 IAM策略:限制修改单个安全组
我正在尝试在Amazon AWS中创建IAM策略,该策略允许查看或编辑/修改单个安全组。我遵循了AWS文档,但未能成功地使此策略起作用。创建的策略如下所示:Amazon ec2 Amazon EC2 IAM策略:限制修改单个安全组,amazon-ec2,amazon-iam,Amazon Ec2,Amazon Iam,我正在尝试在Amazon AWS中创建IAM策略,该策略允许查看或编辑/修改单个安全组。我遵循了AWS文档,但未能成功地使此策略起作用。创建的策略如下所示: { "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt123456789123", "Effect": "Allow", "Action": [
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt123456789123",
"Effect": "Allow",
"Action": [
"ec2:DescribeSecurityGroups",
"ec2:*"
],
"Resource": [
"arn:aws:ec2:us-east-1:000000000000:security-group/sg-a123a1a1"
]
}
]
}
是的,我知道我有一个冗余操作,但我注意到您可以指定描述安全组,但没有修改选项;因此,“*”是我唯一的选择;谢天谢地,资源应该允许我将此操作限制为单个安全组。您可以向安全组添加新规则,如
aws ec2 authorize-security-group-ingress --group-name MySecurityGroup --protocol tcp --port 3389 --cidr 203.0.113.0/24
也可以更改标记。部分可能,请看,实际上可以将编辑限制为仅一个组,但我没有得到仅一个组的列表:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1413232782000",
"Effect": "Allow",
"Action": [
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstanceStatus",
"ec2:DescribeInstances",
"ec2:DescribeNetworkAcls",
"ec2:DescribeSecurityGroups"
],
"Resource": [
"*"
]
},
{
"Sid": "Stmt1413232782001",
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress"
],
"Resource": [
"arn:aws:ec2:us-east-1:<accountid>:security-group/sg-<id>"
]
}
]
}
{
“版本”:“2012-10-17”,
“声明”:[
{
“Sid”:“Stmt1413232782000”,
“效果”:“允许”,
“行动”:[
“ec2:DescribeInstanceAttribute”,
“ec2:描述安装状态”,
“ec2:描述说明”,
“ec2:DescribeNetworkAcls”,
“ec2:描述安全组”
],
“资源”:[
"*"
]
},
{
“Sid”:“Stmt1413232782001”,
“效果”:“允许”,
“行动”:[
“ec2:AuthorizeSecurityGroupExpression”,
“ec2:AuthorizeSecurityGroupIngress”,
“ec2:RevokeSecurityGroupExitss”,
“ec2:RevokeSecurityGroupIngress”
],
“资源”:[
“arn:aws:ec2:us-east-1::安全组/sg-
]
}
]
}
以下是我设法整合的内容,效果非常好
创建以下策略并将其添加到用户组或创建一个用户组:
更新{括号}中的项目
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:RevokeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupEgress",
"ec2:DeleteSecurityGroup"
],
"Resource": "arn:aws:{REGION}:{ACCOUNT_NUMBER}:security-group/{NSG-ID}",
"Condition": {
"ArnEquals": {
"ec2:Vpc": "arn:aws:ec2:{REGION}:{ACCOUNT_NUMBER}:vpc/{VPC-ID}"
}
}
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"ec2:DescribeSecurityGroupReferences",
"ec2:DescribeVpcs",
"ec2:DescribeSecurityGroups",
"ec2:DescribeStaleSecurityGroups"
],
"Resource": "*"
}
]
}
好吧,看起来代码格式化程序无法正确处理此问题,但您可以在此处阅读参考资料:
谢谢 OP正在谈论他在创建管理安全组的IAM策略时面临的问题。此答案是关于使用aws cli管理安全组的