主页 / server / 问题 / 626541
Accepted
Garreth McDaid
Asked: 2014-09-06 07:34:06 +0800 CST

适用于单个 VPC 子网的 Amazon AWS IAM 策略

  • 772

我想创建一个允许用户部署实例的 IAM 策略,如下所示:

  1. 他们只能使用 1 个 AMI
  2. 他们只能部署到 1 个特定的 VPC 子网
  3. 他们只能使用 1 个特定的 VPC 安全组

此场景在此处的 VPC 文档中得到解决(示例 4):

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_IAM.html#subnet-sg-example-iam

我已经尝试过我自己的政策版本:

{
"Version": "2012-10-17",
"Statement":[{
    "Effect":"Allow",
    "Action": "ec2:RunInstances",
    "Resource": [
        "arn:aws:ec2:eu-west-1:937821706121:image/ami-141ac363",
        "arn:aws:ec2:eu-west-1:937821706121:subnet/subnet-733de516",
        "arn:aws:ec2:eu-west-1:937821706121:network-interface/*",
        "arn:aws:ec2:eu-west-1:937821706121:volume/*",
        "arn:aws:ec2:eu-west-1:937821706121:key-pair/*",
        "arn:aws:ec2:eu-west-1:937821706121:security-group/sg-4aa80f2f"
    ]
}]
}

它不起作用。当我尝试将实例部署为应用此策略的组的成员时,我的权限被拒绝。我需要包含其他一些策略以允许以这种方式部署实例吗?

amazon-vpc

2 个回答

  1. Best Answer

    基本上,当涉及到设置全局管理或只读策略之外的任何事情时,IAM 文档是完全不可靠的。

    这是我最终开始工作的策略(至少对于子网位):

    {
   "Version": "2012-10-17",
   "Statement": [{
      "Effect": "Deny",
      "Action": "ec2:RunInstances",
      "Resource": [
         "arn:aws:ec2:eu-west-1:937821706121:network-interface/*"
      ],
     "Condition": {
         "ArnNotEquals": {
            "ec2:Subnet": "arn:aws:ec2:eu-west-1:937821706121:subnet/subnet-733de516"
            }
      }
   },
   {
      "Effect": "Allow",
      "Action": "ec2:RunInstances",
      "Resource": [
         "arn:aws:ec2:eu-west-1::image/ami-*",
         "arn:aws:ec2:eu-west-1:937821706121:network-interface/*",
         "arn:aws:ec2:eu-west-1:937821706121:instance/*",
         "arn:aws:ec2:eu-west-1:937821706121:subnet/*",
         "arn:aws:ec2:eu-west-1:937821706121:volume/*",
         "arn:aws:ec2:eu-west-1:937821706121:key-pair/*",
         "arn:aws:ec2:eu-west-1:937821706121:security-group/*"
         ]
      }
   ]
}

    这需要大量的试验和错误。

    基本上,当您想根据特定资源限制用户时,您需要创建一个语句,首先拒绝运行实例的能力,除非特定 arn 资源满足条件,然后最后允许它们执行任何操作。

    更新:

    亚马逊承认他们的文档不准确:

    https://forums.aws.amazon.com/thread.jspa?threadID=160287&tstart=0

    • 7

  2. 您实际上无法基于 VPC 做到这一点。AWS 不支持针对资源级别权限的 EC2-Describe* API 操作。相反,您可以基于安全组上的单个 VPC 应用类似的东西,如下所示:

    {  
   "Version":"2012-10-17",
   "Statement":[  
      {  
         "Effect":"Allow",
         "Action":[  
            "ec2:AcceptVpcPeeringConnection",
            "ec2:AllocateAddress",
            "ec2:AssignPrivateIpAddresses",
            "ec2:AssociateAddress",
            "ec2:AssociateDhcpOptions",
            "ec2:AssociateRouteTable",
            "ec2:AttachClassicLinkVpc",
            "ec2:AttachInternetGateway",
            "ec2:AttachNetworkInterface",
            "ec2:AttachVolume",
            "ec2:AttachVpnGateway",
            "ec2:BundleInstance",
            "ec2:ConfirmProductInstance",
            "ec2:CopyImage",
            "ec2:CopySnapshot",
            "ec2:CreateCustomerGateway",
            "ec2:CreateDhcpOptions",
            "ec2:CreateFlowLogs",
            "ec2:CreateImage",
            "ec2:CreateInstanceExportTask",
            "ec2:CreateInternetGateway",
            "ec2:CreateKeyPair",
            "ec2:CreateNatGateway",
            "ec2:CreateNetworkAcl",
            "ec2:CreateNetworkAclEntry",
            "ec2:CreateNetworkInterface",
            "ec2:CreatePlacementGroup",
            "ec2:CreateReservedInstancesListing",
            "ec2:CreateRoute",
            "ec2:CreateRouteTable",
            "ec2:CreateSnapshot",
            "ec2:CreateSpotDatafeedSubscription",
            "ec2:CreateSubnet",
            "ec2:CreateTags",
            "ec2:CreateVolume",
            "ec2:CreateVpc",
            "ec2:CreateVpcEndpoint",
            "ec2:CreateVpcPeeringConnection",
            "ec2:CreateVpnConnection",
            "ec2:CreateVpnConnectionRoute",
            "ec2:CreateVpnGateway",
            "ec2:DeleteCustomerGateway",
            "ec2:DeleteDhcpOptions",
            "ec2:DeleteFlowLogs",
            "ec2:DeleteInternetGateway",
            "ec2:DeleteKeyPair",
            "ec2:DeleteNatGateway",
            "ec2:DeleteNetworkAcl",
            "ec2:DeleteNetworkAclEntry",
            "ec2:DeleteNetworkInterface",
            "ec2:DeletePlacementGroup",
            "ec2:DeleteRoute",
            "ec2:DeleteRouteTable",
            "ec2:DeleteSnapshot",
            "ec2:DeleteSpotDatafeedSubscription",
            "ec2:DeleteSubnet",
            "ec2:DeleteTags",
            "ec2:DeleteVolume",
            "ec2:DeleteVpc",
            "ec2:DeleteVpcEndpoints",
            "ec2:DeleteVpcPeeringConnection",
            "ec2:DeleteVpnConnection",
            "ec2:DeleteVpnConnectionRoute",
            "ec2:DeleteVpnGateway",
            "ec2:DeregisterImage",
            "ec2:DescribeAccountAttributes",
            "ec2:DescribeAddresses",
            "ec2:DescribeAvailabilityZones",
            "ec2:DescribeBundleTasks",
            "ec2:DescribeClassicLinkInstances",
            "ec2:DescribeConversionTasks",
            "ec2:DescribeCustomerGateways",
            "ec2:DescribeDhcpOptions",
            "ec2:DescribeExportTasks",
            "ec2:DescribeFlowLogs",
            "ec2:DescribeHosts",
            "ec2:DescribeImageAttribute",
            "ec2:DescribeImages",
            "ec2:DescribeImportImageTasks",
            "ec2:DescribeImportSnapshotTasks",
            "ec2:DescribeInstanceAttribute",
            "ec2:DescribeInstances",
            "ec2:DescribeInstanceStatus",
            "ec2:DescribeInternetGateways",
            "ec2:DescribeKeyPairs",
            "ec2:DescribeMovingAddresses",
            "ec2:DescribeNatGateways",
            "ec2:DescribeNetworkAcls",
            "ec2:DescribeNetworkInterfaceAttribute",
            "ec2:DescribeNetworkInterfaces",
            "ec2:DescribePlacementGroups",
            "ec2:DescribePrefixLists",
            "ec2:DescribeRegions",
            "ec2:DescribeReservedInstances",
            "ec2:DescribeReservedInstancesListings",
            "ec2:DescribeReservedInstancesModifications",
            "ec2:DescribeReservedInstancesOfferings",
            "ec2:DescribeRouteTables",
            "ec2:DescribeSnapshotAttribute",
            "ec2:DescribeSnapshots",
            "ec2:DescribeSpotDatafeedSubscription",
            "ec2:DescribeSpotFleetInstances",
            "ec2:DescribeSpotFleetInstances",
            "ec2:DescribeSpotFleetRequestHistory",
            "ec2:DescribeSpotFleetRequestHistory",
            "ec2:DescribeSpotFleetRequests",
            "ec2:DescribeSpotFleetRequests",
            "ec2:DescribeSpotInstanceRequests",
            "ec2:DescribeSpotPriceHistory",
            "ec2:DescribeSubnets",
            "ec2:DescribeTags",
            "ec2:DescribeVolumeAttribute",
            "ec2:DescribeVolumes",
            "ec2:DescribeVolumeStatus",
            "ec2:DescribeVpcAttribute",
            "ec2:DescribeVpcClassicLink",
            "ec2:DescribeVpcEndpoints",
            "ec2:DescribeVpcEndpointServices",
            "ec2:DescribeVpcPeeringConnections",
            "ec2:DescribeVpcs",
            "ec2:DescribeVpnConnections",
            "ec2:DescribeVpnGateways",
            "ec2:DetachClassicLinkVpc",
            "ec2:DetachInternetGateway",
            "ec2:DetachNetworkInterface",
            "ec2:DetachVolume",
            "ec2:DetachVpnGateway",
            "ec2:DisableVgwRoutePropagation",
            "ec2:DisableVpcClassicLink",
            "ec2:DisassociateAddress",
            "ec2:DisassociateRouteTable",
            "ec2:EnableVgwRoutePropagation",
            "ec2:EnableVolumeIO",
            "ec2:EnableVpcClassicLink",
            "ec2:GetConsoleOutput",
            "ec2:GetPasswordData",
            "ec2:ImportImage",
            "ec2:ImportInstance",
            "ec2:ImportKeyPair",
            "ec2:ImportSnapshot",
            "ec2:ImportVolume",
            "ec2:ModifyHosts",
            "ec2:ModifyIdFormat",
            "ec2:ModifyImageAttribute",
            "ec2:ModifyInstanceAttribute",
            "ec2:ModifyInstancePlacement",
            "ec2:ModifyNetworkInterfaceAttribute",
            "ec2:ModifyReservedInstances",
            "ec2:ModifySnapshotAttribute",
            "ec2:ModifySpotFleetRequest",
            "ec2:ModifySubnetAttribute",
            "ec2:ModifyVolumeAttribute",
            "ec2:ModifyVpcAttribute",
            "ec2:ModifyVpcEndpoint",
            "ec2:ModifyVpcPeeringConnectionOptions",
            "ec2:MonitorInstances",
            "ec2:MoveAddressToVpc",
            "ec2:PurchaseReservedInstancesOffering",
            "ec2:RebootInstances",
            "ec2:RegisterImage",
            "ec2:RejectVpcPeeringConnection",
            "ec2:ReleaseAddress",
            "ec2:ReportInstanceStatus",
            "ec2:RestoreAddressToClassic",
            "ec2:RunInstances",
            "ec2:StartInstances",
            "ec2:StopInstances",
            "ec2:TerminateInstances",
            "ec2:UnassignPrivateIpAddresses",
            "ec2:UnmonitorInstances",
            "s3:",
            "elasticloadbalancing:",
            "autoscaling:"
         ],
         "Resource":""
      },
      {  
         "Effect":"Allow",
         "Action":[  
            "ec2:DescribeSecurityGroups",
            "ec2:DescribeTags"
         ],
         "Resource":""
      },
      {  
         "Effect":"Allow",
         "Action":[  
            "ec2:AuthorizeSecurityGroupIngress",
            "ec2:RevokeSecurityGroupIngress",
            "ec2:AuthorizeSecurityGroupEgress",
            "ec2:RevokeSecurityGroupEgress"
         ],
         "Resource":"arn:aws:ec2:REGION:ACCOUNTNUMBER:security-group/",
         "Condition":{  
            "ArnEquals":{  
               "ec2:Vpc":"arn:aws:ec2:REGION:ACCOUNTNUMBER:vpc/VPCID"
            }
         }
      }
   ]
}

    您可以根据需要更改 EC2 操作。

    • -1

相关问题