Amazon web services AWS IAM在实例级别为EC2定制的策略不';行不通
为用户创建了一个AWS IAM策略,该策略仅允许用户停止和启动实例,但如果我为某个特定实例提供ARN资源,则该策略不起作用。已向用户授予默认EC2只读权限,以描述EC2实例,并在此基础上添加自定义示例策略,如下所示:Amazon web services AWS IAM在实例级别为EC2定制的策略不';行不通,amazon-web-services,amazon-ec2,amazon-iam,Amazon Web Services,Amazon Ec2,Amazon Iam,为用户创建了一个AWS IAM策略,该策略仅允许用户停止和启动实例,但如果我为某个特定实例提供ARN资源,则该策略不起作用。已向用户授予默认EC2只读权限,以描述EC2实例,并在此基础上添加自定义示例策略,如下所示: { "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:Describe*", "ec2:RunInstances" ],
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:Describe*",
"ec2:RunInstances"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ec2:StopInstances",
"ec2:StartInstances"
],
"Effect": "Allow",
"Resource": "arn:aws:ec2:us-west-2c:xxx23xxx11:instance/i-xxx3dxxx32xxxxxxe"
}
] }
示例策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:Describe*",
"ec2:StopInstances",
"ec2:RunInstances",
"ec2:StartInstances"
],
"Effect": "Allow",
"Resource": "*"
这很有效
于1月23日编辑(显示我所做的一切)
目标:向用户授予单个EC2实例的启动和停止实例权限
测试了不同的组合策略,但除了“资源”:“*”
:
登录:管理员用户(完全访问)
创建了一个实例,如下所示:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:Describe*",
"ec2:RunInstances"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ec2:StopInstances",
"ec2:StartInstances"
],
"Effect": "Allow",
"Resource": "arn:aws:ec2:us-west-2c:xxx23xxx11:instance/i-xxx3dxxx32xxxxxxe"
}
] }
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:Describe*",
"ec2:RunInstances"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ec2:StopInstances",
"ec2:StartInstances"
],
"Effect": "Allow",
"Resource": "arn:aws:ec2:us-west-2c:xxx23xxx11:instance/i-xxx3dxxx32xxxxxxe"
}
] }
testec2\u用户身份登录并尝试启动停止的实例,收到以下错误:
You are not authorized to perform this operation. Encoded authorization failure message
我有一个使用AWS的sts decode authorization message对收到的消息进行解码的计划。这就是您指定多个资源的方式:
…
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::BUCKET-NAME/home/${aws:username}",
"arn:aws:s3:::BUCKET-NAME/home/${aws:username}/*"
]
}
]
}
资料来源:
编辑:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:Describe*",
"ec2:StopInstances",
"ec2:RunInstances",
"ec2:StartInstances"
],
"Effect": "Allow",
"Resource": "*"
如果要筛选出而不是手动包含所有必需的资源,也可以使用条件。DescribeInstances不支持资源级别权限。(见附件)
如果AmazonEC2API操作不支持资源级别
权限,您可以授予用户使用该操作的权限,但
必须为策略语句的资源元素指定*
因此,您可以将您的策略改写为:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:Describe*",
"ec2:RunInstances"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ec2:StopInstances",
"ec2:StartInstances"
],
"Effect": "Allow",
"Resource": "arn:aws:ec2:<region>:<account>:instance/<instance-id>"
}
]
}
哪种方法最简单,或者:
"Resource": [
"arn:aws:ec2:<region>:<account>:instance/*",
"arn:aws:ec2:<region>::image/*",
"arn:aws:ec2:<region>:<account>:key-pair/*",
"arn:aws:ec2:<region>:<account>:network-interface/*",
"arn:aws:ec2:<region>:<account>:placement-group/*",
"arn:aws:ec2:<region>:<account>:security-group/*",
"arn:aws:ec2:<region>::snapshot/*",
"arn:aws:ec2:<region>:<account>:subnet/*",
"arn:aws:ec2:<region>:<account>:volume/*"
]
通过这种方式,您可以确保用户不会将角色传递给EC2实例,在该实例中,角色的权限超过您希望用户拥有的权限
有关授予使用IAM角色启动EC2实例的权限的更多信息,请参阅AWS博客文章。感谢您的回复。我已经尝试过S3,它确实可以很好地工作,但我的问题与EC2实例级权限有关。我尝试了所有可能的解决方案,但实例级权限不起作用。我尝试了不使用descripe的策略,因为descripe在EC2只读策略(分配给用户)上可用。但是,在资源级别保留了停止、启动和运行实例权限,但用户的权限问题仍然存在。“资源”:“*”
如何工作而不是“资源”:“arn:aws:ec2:::instance/”
用于停止、启动和运行实例操作。似乎RunInstances
不接受格式为arn:aws:ec2::感谢您的快速响应。让我试试@卡利德:它仍然不起作用。你在你的案例中测试过这个政策吗?你是对的。RunInstances
编辑未完成。我已经更新了答案(在测试和验证我的答案是否有效后)。
{
"Version": "2012-10-17",
"Statement": [
...
{
"Action": "iam:PassRole",
"Effect": "Allow",
"Resource":"arn:aws:iam::<account>:role/<role-name>"
}
]
}