Amazon web services 更新和部署弹性Beanstalk应用程序所需的最低策略是什么？

我想从我的持续部署系统（Codeship）在Elastic Beanstalk上更新和部署一个新版本，但也想锁定部署用户拥有的权限

---

如果需要权限，最小设置是多少？

此IAM策略提供执行“上载和部署”功能所需的所有权限：

• 对于新的应用程序版本
• 在指定的弹性豆茎环境中

替换以下内容：

• 将$REGION替换为特定区域，例如：us-east-1
• 将$ACCOUNT替换为帐号（不带破折号），例如：123456789012
• 将$APPLICATION替换为特定的应用程序，例如：My Beanstalk应用程序
• 将$ENVIRONMENT替换为特定环境，例如：My Beanstalk环境

节点：如果将日志推送到CloudWatch，则需要附加策略

---

---

我开始问自己同样的问题。我正在从bitbucket管道向Beanstalk部署一个停靠的应用程序。我在这里检查了一下，但是政策中似乎包含了许多不必要的行动和资源。

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowAutoscalingSuspendAndResumeProcesses",
      "Action": [
        "autoscaling:SuspendProcesses",
        "autoscaling:ResumeProcesses"
      ],
      "Effect": "Allow",
      "Resource": [
        "*"
      ]
    },
    {
      "Sid": "AllowElasticBeanstalkValidateConfigurationSettings",
      "Action": [
        "elasticbeanstalk:ValidateConfigurationSettings"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:elasticbeanstalk:$REGION:$ACCOUNT:environment/$APPLICATION/$ENVIRONMENT"
      ],
      "Condition": {
        "StringEquals": {
          "elasticbeanstalk:InApplication": [
            "arn:aws:elasticbeanstalk:$REGION:$ACCOUNT:application/$APPLICATION"
          ]
        }
      }
    },
    {
      "Sid": "AllowS3PutAndDeleteObjectInProperBucket",
      "Action": [
        "s3:Put*",
        "s3:Delete*"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::elasticbeanstalk-$REGION-$ACCOUNT/*"
      ]
    },
    {
      "Sid": "AllowElasticBeanstalkCreateStorageLocation",
      "Action": [
        "elasticbeanstalk:CreateStorageLocation"
      ],
      "Effect": "Allow",
      "Resource": "*"
    },
    {
      "Sid": "AllowElasticBeanstalkCreateApplicationVersion",
      "Action": [
        "elasticbeanstalk:CreateApplicationVersion"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:elasticbeanstalk:$REGION:$ACCOUNT:applicationversion/$APPLICATION/*"
      ],
      "Condition": {
        "StringEquals": {
          "elasticbeanstalk:InApplication": [
            "arn:aws:elasticbeanstalk:$REGION:$ACCOUNT:application/$APPLICATION"
          ]
        }
      }
    },
    {
      "Sid": "AllowElasticBeanstalkUpdateEnvironment",
      "Action": [
        "elasticbeanstalk:UpdateEnvironment"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:elasticbeanstalk:$REGION:$ACCOUNT:environment/$APPLICATION/$ENVIRONMENT"
      ],
      "Condition": {
        "StringEquals": {
          "elasticbeanstalk:InApplication": [
            "arn:aws:elasticbeanstalk:$REGION:$ACCOUNT:application/$APPLICATION"
          ]
        },
        "StringLike": {
          "elasticbeanstalk:FromApplicationVersion": [
            "arn:aws:elasticbeanstalk:$REGION:$ACCOUNT:applicationversion/$APPLICATION/*"
          ]
        }
      }
    },
    {
      "Sid": "AllowElasticBeanstalkReadOnlyAccess",
      "Effect": "Allow",
      "Action": [
        "elasticbeanstalk:Check*",
        "elasticbeanstalk:Describe*",
        "elasticbeanstalk:List*",
        "elasticbeanstalk:RequestEnvironmentInfo",
        "elasticbeanstalk:RetrieveEnvironmentInfo",
        "ec2:Describe*",
        "elasticloadbalancing:Describe*",
        "autoscaling:Describe*",
        "cloudwatch:Describe*",
        "cloudwatch:List*",
        "cloudwatch:Get*",
        "s3:Get*",
        "s3:List*",
        "sns:Get*",
        "sns:List*",
        "cloudformation:Describe*",
        "cloudformation:Get*",
        "cloudformation:List*",
        "cloudformation:Validate*",
        "cloudformation:Estimate*",
        "rds:Describe*",
        "sqs:Get*",
        "sqs:List*"
      ],
      "Resource": "*"
    }
  ]
}