是否有默认策略可以提供对 AWS的所有服务的只读访问权限?是否存在可以遵循的权限命名约定,例如"Allow" : "Get*"在 IAM 策略中以实现此类结果?
我知道 AWS 为每项服务提供只读策略,但考虑到添加新服务的频率,我想知道他们是否提供了聚合的“全读”策略?
我已经成功地将 Terraform 与Kubernetes 提供商一起使用来管理 AWS 中EKS集群上的各个部分和服务。我想使用Terraform Cloud来管理它(并利用好的 Github/VCS 集成)。但是,kubeconfig我为该集群使用的aws-iam-authenticator二进制文件利用 AWS 凭证(以及因此的 IAM 权限)在 AWS 和集群内通过IRSA进行身份验证和授予权限。
Terraform Cloud 实例未aws-iam-authenticator安装二进制文件,因此,尽管它们具有正确的 AWS 凭证,但无法利用这些凭证进行身份验证并与 EKS 集群连接。
使用常规(非云)Terraform 没有这个问题,您只需确保您运行的机器plan/apply具有二进制文件和凭据并且它“正常工作”,我怎样才能让 Terraform Cloud 以同样的方式工作?
我们制定了 IAM 策略,用于允许角色编辑安全组规则
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:RevokeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupIngress"
],
"Resource": "arn:aws:ec2:eu-west-1:XXXXXXXXXXX:security-group/sg-XXXXXXXXXXX"
}
]
}
从昨天开始,这些角色被此消息阻止:
you may be missing iam policies that allow DescribeSecurityGroupRules
我进行了研究,它来自本文中描述的 AWS 更新,但没有迹象表明它可能会破坏策略,也没有迹象表明需要采取什么措施才能使策略再次起作用。
为了解决这个问题,我必须做的更短的改变是什么?
我有一个附加到 EC2 实例的 LaunchConfiguration 的角色,它赋予 EC2 实例权限来执行某些操作,例如 Cloudwatch 日志(上下文对问题并不重要)。在 Cloudformation 中,角色如下所示:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: 'ec2.amazonaws.com'
Action: 'sts:AssumeRole'
Policies: ...
如果我在 AWS 控制台中查看角色,在“信任关系”下会显示“受信任的实体:身份提供商 ec2.amazonaws.com”:
我假设 CloudformationAssumeRolePolicyDocument.Principal.Service映射到控制台中的“受信任实体”(顺便说一句,这是一种奇怪的命名方式,因为我将“主体”读作 IAM 中的不同含义,但无论如何......)。我正在使我的大脑紧张,试图拼凑正在发生的事情。我的问题是:
- IAM“可信实体”到底是什么?
- 实体“ec2.amazonaws.com”如何“担任角色”?服务'ec2.amazonaws.com'的概念假设卷只是不点击我。
- 实体“ec2.amazonaws.com”在什么意义上是“提供身份”?
- 我在哪里可以找到这些所谓的受信任实体的完整列表?
您好我正在尝试使用 IAM 策略为用户组合一些权限访问:
- 仅对一个区域的完全访问(即:ap-east-1)
- ReadOnlyAccess 到另一个区域(即:us-east-1)
- 仅对(即:us-east-1)区域的写入权限,其标签如下:abj:owner=xxxxx
我不知道我是否做得对,但这是完成的前 2 个要点。我仍在尝试找到如何实施第三个...
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowFullAccessToOneSpecificRegion",
"Effect": "Allow",
"Action": "*",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestedRegion": "ap-east-1"
}
}
},
{
"Sid": "AllowReadOnlyAccessToOneSpecificRegion",
"Action": [
"a4b:Get*",
"a4b:List*",
"a4b:Search*",
"access-analyzer:GetAnalyzedResource",
"access-analyzer:GetAnalyzer",
"access-analyzer:GetArchiveRule",
"access-analyzer:GetFinding",
"access-analyzer:ListAnalyzedResources",
"access-analyzer:ListAnalyzers",
"access-analyzer:ListArchiveRules",
"access-analyzer:ListFindings",
"access-analyzer:ListTagsForResource",
"acm:Describe*",
"acm:Get*",
"acm:List*",
"acm-pca:Describe*",
"acm-pca:Get*",
"acm-pca:List*",
"amplify:GetApp",
"amplify:GetBranch",
"amplify:GetJob",
"amplify:GetDomainAssociation",
"amplify:ListApps",
"amplify:ListBranches",
"amplify:ListDomainAssociations",
"amplify:ListJobs",
"apigateway:GET",
"application-autoscaling:Describe*",
"applicationinsights:Describe*",
"applicationinsights:List*",
"appmesh:Describe*",
"appmesh:List*",
"appstream:Describe*",
"appstream:Get*",
"appstream:List*",
"appsync:Get*",
"appsync:List*",
"autoscaling:Describe*",
"autoscaling-plans:Describe*",
"autoscaling-plans:GetScalingPlanResourceForecastData",
"athena:List*",
"athena:Batch*",
"athena:Get*",
"aws-portal:View*",
"backup:Describe*",
"backup:Get*",
"backup:List*",
"batch:List*",
"batch:Describe*",
"braket:GetDevice",
"braket:GetQuantumTask",
"braket:SearchDevices",
"braket:SearchQuantumTasks",
"budgets:Describe*",
"budgets:View*",
"cassandra:Select",
"chatbot:Describe*",
"chatbot:Get*",
"chime:Get*",
"chime:List*",
"chime:Retrieve*",
"chime:Search*",
"chime:Validate*",
"cloud9:Describe*",
"cloud9:List*",
"clouddirectory:List*",
"clouddirectory:BatchRead",
"clouddirectory:Get*",
"clouddirectory:LookupPolicy",
"cloudformation:Describe*",
"cloudformation:Detect*",
"cloudformation:Get*",
"cloudformation:List*",
"cloudformation:Estimate*",
"cloudfront:Get*",
"cloudfront:List*",
"cloudhsm:List*",
"cloudhsm:Describe*",
"cloudhsm:Get*",
"cloudsearch:Describe*",
"cloudsearch:List*",
"cloudtrail:Describe*",
"cloudtrail:Get*",
"cloudtrail:List*",
"cloudtrail:LookupEvents",
"cloudwatch:Describe*",
"cloudwatch:Get*",
"cloudwatch:List*",
"codeartifact:DescribeDomain",
"codeartifact:DescribePackageVersion",
"codeartifact:DescribeRepository",
"codeartifact:GetAuthorizationToken",
"codeartifact:GetDomainPermissionsPolicy",
"codeartifact:GetPackageVersionAsset",
"codeartifact:GetPackageVersionReadme",
"codeartifact:GetRepositoryEndpoint",
"codeartifact:GetRepositoryPermissionsPolicy",
"codeartifact:ListDomains",
"codeartifact:ListPackages",
"codeartifact:ListPackageVersionAssets",
"codeartifact:ListPackageVersionDependencies",
"codeartifact:ListPackageVersions",
"codeartifact:ListRepositories",
"codeartifact:ListRepositoriesInDomain",
"codebuild:BatchGet*",
"codebuild:DescribeCodeCoverages",
"codebuild:DescribeTestCases",
"codebuild:List*",
"codecommit:BatchGet*",
"codecommit:Describe*",
"codecommit:Get*",
"codecommit:GitPull",
"codecommit:List*",
"codedeploy:BatchGet*",
"codedeploy:Get*",
"codedeploy:List*",
"codeguru-profiler:Describe*",
"codeguru-profiler:Get*",
"codeguru-profiler:List*",
"codeguru-reviewer:Describe*",
"codeguru-reviewer:Get*",
"codeguru-reviewer:List*",
"codepipeline:List*",
"codepipeline:Get*",
"codestar:List*",
"codestar:Describe*",
"codestar:Get*",
"codestar:Verify*",
"codestar-notifications:describeNotificationRule",
"codestar-notifications:listEventTypes",
"codestar-notifications:listNotificationRules",
"codestar-notifications:listTagsForResource",
"codestar-notifications:ListTargets",
"compute-optimizer:DescribeRecommendationExportJobs",
"compute-optimizer:GetAutoScalingGroupRecommendations",
"compute-optimizer:GetEBSVolumeRecommendations",
"compute-optimizer:GetEC2InstanceRecommendations",
"compute-optimizer:GetEC2RecommendationProjectedMetrics",
"compute-optimizer:GetEnrollmentStatus",
"compute-optimizer:GetLambdaFunctionRecommendations",
"compute-optimizer:GetRecommendationSummaries",
"cognito-identity:Describe*",
"cognito-identity:GetCredentialsForIdentity",
"cognito-identity:GetIdentityPoolRoles",
"cognito-identity:GetOpenIdToken",
"cognito-identity:GetOpenIdTokenForDeveloperIdentity",
"cognito-identity:List*",
"cognito-identity:Lookup*",
"cognito-sync:List*",
"cognito-sync:Describe*",
"cognito-sync:Get*",
"cognito-sync:QueryRecords",
"cognito-idp:AdminGet*",
"cognito-idp:AdminList*",
"cognito-idp:List*",
"cognito-idp:Describe*",
"cognito-idp:Get*",
"config:Deliver*",
"config:Describe*",
"config:Get*",
"config:List*",
"config:SelectResourceConfig",
"connect:List*",
"connect:Describe*",
"connect:GetFederationToken",
"dataexchange:Get*",
"dataexchange:List*",
"datasync:Describe*",
"datasync:List*",
"datapipeline:Describe*",
"datapipeline:EvaluateExpression",
"datapipeline:Get*",
"datapipeline:List*",
"datapipeline:QueryObjects",
"datapipeline:Validate*",
"dax:BatchGetItem",
"dax:Describe*",
"dax:GetItem",
"dax:ListTags",
"dax:Query",
"dax:Scan",
"deepcomposer:GetComposition",
"deepcomposer:GetModel",
"deepcomposer:GetSampleModel",
"deepcomposer:ListCompositions",
"deepcomposer:ListModels",
"deepcomposer:ListSampleModels",
"deepcomposer:ListTrainingTopics",
"detective:Get*",
"detective:List*",
"devicefarm:List*",
"devicefarm:Get*",
"devops-guru:DescribeAccountHealth",
"devops-guru:DescribeAccountOverview",
"devops-guru:DescribeAnomaly",
"devops-guru:DescribeInsight",
"devops-guru:DescribeResourceCollectionHealth",
"devops-guru:DescribeServiceIntegration",
"devops-guru:GetResourceCollection",
"devops-guru:ListAnomaliesForInsight",
"devops-guru:ListEvents",
"devops-guru:ListInsights",
"devops-guru:ListNotificationChannels",
"devops-guru:ListRecommendations",
"devops-guru:SearchInsights",
"directconnect:Describe*",
"discovery:Describe*",
"discovery:List*",
"discovery:Get*",
"dlm:Get*",
"dms:Describe*",
"dms:List*",
"dms:Test*",
"ds:Check*",
"ds:Describe*",
"ds:Get*",
"ds:List*",
"ds:Verify*",
"dynamodb:BatchGet*",
"dynamodb:Describe*",
"dynamodb:Get*",
"dynamodb:List*",
"dynamodb:Query",
"dynamodb:Scan",
"ec2:Describe*",
"ec2:Get*",
"ec2:SearchTransitGatewayRoutes",
"ec2messages:Get*",
"ecr:BatchCheck*",
"ecr:BatchGet*",
"ecr:Describe*",
"ecr:Get*",
"ecr:List*",
"ecs:Describe*",
"ecs:List*",
"eks:Describe*",
"eks:List*",
"elasticache:Describe*",
"elasticache:List*",
"elasticbeanstalk:Check*",
"elasticbeanstalk:Describe*",
"elasticbeanstalk:List*",
"elasticbeanstalk:Request*",
"elasticbeanstalk:Retrieve*",
"elasticbeanstalk:Validate*",
"elasticfilesystem:Describe*",
"elasticloadbalancing:Describe*",
"elasticmapreduce:Describe*",
"elasticmapreduce:GetBlockPublicAccessConfiguration",
"elasticmapreduce:List*",
"elasticmapreduce:View*",
"elastictranscoder:List*",
"elastictranscoder:Read*",
"elemental-appliances-software:Get*",
"elemental-appliances-software:List*",
"es:Describe*",
"es:List*",
"es:Get*",
"es:ESHttpGet",
"es:ESHttpHead",
"events:Describe*",
"events:List*",
"events:Test*",
"firehose:Describe*",
"firehose:List*",
"fsx:Describe*",
"fsx:List*",
"freertos:Describe*",
"freertos:List*",
"gamelift:List*",
"gamelift:Get*",
"gamelift:Describe*",
"gamelift:RequestUploadCredentials",
"gamelift:ResolveAlias",
"gamelift:Search*",
"glacier:List*",
"glacier:Describe*",
"glacier:Get*",
"globalaccelerator:Describe*",
"globalaccelerator:List*",
"glue:BatchGetDevEndpoints",
"glue:BatchGetJobs",
"glue:BatchGetPartition",
"glue:BatchGetTriggers",
"glue:BatchGetWorkflows",
"glue:GetCatalogImportStatus",
"glue:GetClassifier",
"glue:GetClassifiers",
"glue:GetCrawler",
"glue:GetCrawlers",
"glue:GetCrawlerMetrics",
"glue:GetDatabase",
"glue:GetDatabases",
"glue:GetDataCatalogEncryptionSettings",
"glue:GetDataflowGraph",
"glue:GetDevEndpoint",
"glue:GetDevEndpoints",
"glue:GetJob",
"glue:GetJobBookmark",
"glue:GetJobs",
"glue:GetJobRun",
"glue:GetJobRuns",
"glue:GetMapping",
"glue:GetMLTaskRun",
"glue:GetMLTaskRuns",
"glue:GetMLTransform",
"glue:GetMLTransforms",
"glue:GetPartition",
"glue:GetPartitions",
"glue:GetPlan",
"glue:GetResourcePolicy",
"glue:GetSecurityConfiguration",
"glue:GetSecurityConfigurations",
"glue:GetTable",
"glue:GetTables",
"glue:GetTableVersion",
"glue:GetTableVersions",
"glue:GetTags",
"glue:GetTrigger",
"glue:GetTriggers",
"glue:GetUserDefinedFunction",
"glue:GetUserDefinedFunctions",
"glue:GetWorkflow",
"glue:GetWorkflowRun",
"glue:GetWorkflowRunProperties",
"glue:GetWorkflowRuns",
"glue:ListCrawlers",
"glue:ListDevEndpoints",
"glue:ListJobs",
"glue:ListMLTransforms",
"glue:ListTriggers",
"glue:ListWorkflows",
"greengrass:Get*",
"greengrass:List*",
"guardduty:Get*",
"guardduty:List*",
"health:Describe*",
"iam:Generate*",
"iam:Get*",
"iam:List*",
"iam:Simulate*",
"imagebuilder:Get*",
"imagebuilder:List*",
"importexport:Get*",
"importexport:List*",
"inspector:Describe*",
"inspector:Get*",
"inspector:List*",
"inspector:Preview*",
"iot:Describe*",
"iot:Get*",
"iot:List*",
"iotanalytics:Describe*",
"iotanalytics:List*",
"iotanalytics:Get*",
"iotanalytics:SampleChannelData",
"iotsitewise:Describe*",
"iotsitewise:Get*",
"iotsitewise:List*",
"iotwireless:GetDestination",
"iotwireless:GetDeviceProfile",
"iotwireless:GetPartnerAccount",
"iotwireless:GetServiceEndpoint",
"iotwireless:GetServiceProfile",
"iotwireless:GetWirelessDevice",
"iotwireless:GetWirelessDeviceStatistics",
"iotwireless:GetWirelessGateway",
"iotwireless:GetWirelessGatewayCertificate",
"iotwireless:GetWirelessGatewayFirmwareInformation",
"iotwireless:GetWirelessGatewayStatistics",
"iotwireless:GetWirelessGatewayTask",
"iotwireless:GetWirelessGatewayTaskDefinition",
"iotwireless:ListDestinations",
"iotwireless:ListDeviceProfiles",
"iotwireless:ListPartnerAccounts",
"iotwireless:ListServiceProfiles",
"iotwireless:ListTagsForResource",
"iotwireless:ListWirelessDevices",
"iotwireless:ListWirelessGateways",
"iotwireless:ListWirelessGatewayTaskDefinitions",
"kafka:Describe*",
"kafka:List*",
"kafka:Get*",
"kendra:DescribeDataSource",
"kendra:DescribeFaq",
"kendra:DescribeIndex",
"kendra:DescribeThesaurus",
"kendra:ListDataSources",
"kendra:ListDataSourceSyncJobs",
"kendra:ListFaqs",
"kendra:ListIndices",
"kendra:ListTagsForResource",
"kendra:ListThesauri",
"kendra:Query",
"kinesisanalytics:Describe*",
"kinesisanalytics:Discover*",
"kinesisanalytics:Get*",
"kinesisanalytics:List*",
"kinesisvideo:Describe*",
"kinesisvideo:Get*",
"kinesisvideo:List*",
"kinesis:Describe*",
"kinesis:Get*",
"kinesis:List*",
"kms:Describe*",
"kms:Get*",
"kms:List*",
"lambda:List*",
"lambda:Get*",
"lex:Get*",
"license-manager:Get*",
"license-manager:List*",
"lightsail:GetActiveNames",
"lightsail:GetBlueprints",
"lightsail:GetBundles",
"lightsail:GetCloudFormationStackRecords",
"lightsail:GetDisk",
"lightsail:GetDisks",
"lightsail:GetDiskSnapshot",
"lightsail:GetDiskSnapshots",
"lightsail:GetDomain",
"lightsail:GetDomains",
"lightsail:GetExportSnapshotRecords",
"lightsail:GetInstance",
"lightsail:GetInstanceMetricData",
"lightsail:GetInstancePortStates",
"lightsail:GetInstances",
"lightsail:GetInstanceSnapshot",
"lightsail:GetInstanceSnapshots",
"lightsail:GetInstanceState",
"lightsail:GetKeyPair",
"lightsail:GetKeyPairs",
"lightsail:GetLoadBalancer",
"lightsail:GetLoadBalancerMetricData",
"lightsail:GetLoadBalancers",
"lightsail:GetLoadBalancerTlsCertificates",
"lightsail:GetOperation",
"lightsail:GetOperations",
"lightsail:GetOperationsForResource",
"lightsail:GetRegions",
"lightsail:GetRelationalDatabase",
"lightsail:GetRelationalDatabaseBlueprints",
"lightsail:GetRelationalDatabaseBundles",
"lightsail:GetRelationalDatabaseEvents",
"lightsail:GetRelationalDatabaseLogEvents",
"lightsail:GetRelationalDatabaseLogStreams",
"lightsail:GetRelationalDatabaseMetricData",
"lightsail:GetRelationalDatabaseParameters",
"lightsail:GetRelationalDatabases",
"lightsail:GetRelationalDatabaseSnapshot",
"lightsail:GetRelationalDatabaseSnapshots",
"lightsail:GetStaticIp",
"lightsail:GetStaticIps",
"lightsail:Is*",
"logs:Describe*",
"logs:Get*",
"logs:FilterLogEvents",
"logs:ListTagsLogGroup",
"logs:StartQuery",
"logs:StopQuery",
"logs:TestMetricFilter",
"machinelearning:Describe*",
"machinelearning:Get*",
"mediaconvert:DescribeEndpoints",
"mediaconvert:Get*",
"mediaconvert:List*",
"mediapackage:List*",
"mediapackage:Describe*",
"mgh:Describe*",
"mgh:GetHomeRegion",
"mgh:List*",
"mobileanalytics:Get*",
"mobilehub:Describe*",
"mobilehub:Export*",
"mobilehub:Generate*",
"mobilehub:Get*",
"mobilehub:List*",
"mobilehub:Validate*",
"mobilehub:Verify*",
"mobiletargeting:Get*",
"mobiletargeting:List*",
"mq:Describe*",
"mq:List*",
"opsworks:Describe*",
"opsworks:Get*",
"opsworks-cm:List*",
"opsworks-cm:Describe*",
"organizations:Describe*",
"organizations:List*",
"outposts:Get*",
"outposts:List*",
"personalize:Describe*",
"personalize:Get*",
"personalize:List*",
"pi:DescribeDimensionKeys",
"pi:GetResourceMetrics",
"polly:Describe*",
"polly:Get*",
"polly:List*",
"polly:SynthesizeSpeech",
"qldb:ListLedgers",
"qldb:DescribeLedger",
"qldb:ListJournalS3Exports",
"qldb:ListJournalS3ExportsForLedger",
"qldb:DescribeJournalS3Export",
"qldb:GetBlock",
"qldb:GetDigest",
"qldb:GetRevision",
"qldb:ListTagsForResource",
"ram:Get*",
"ram:List*",
"rekognition:CompareFaces",
"rekognition:Detect*",
"rekognition:List*",
"rekognition:Search*",
"rds:Describe*",
"rds:List*",
"rds:Download*",
"redshift:Describe*",
"redshift:GetReservedNodeExchangeOfferings",
"redshift:View*",
"resource-groups:Get*",
"resource-groups:List*",
"resource-groups:Search*",
"robomaker:BatchDescribe*",
"robomaker:Describe*",
"robomaker:Get*",
"robomaker:List*",
"route53:Get*",
"route53:List*",
"route53:Test*",
"route53domains:Check*",
"route53domains:Get*",
"route53domains:List*",
"route53domains:View*",
"route53resolver:Get*",
"route53resolver:List*",
"s3:Get*",
"s3:List*",
"sagemaker:Describe*",
"sagemaker:GetSearchSuggestions",
"sagemaker:List*",
"sagemaker:Search",
"schemas:Describe*",
"schemas:Get*",
"schemas:List*",
"schemas:Search*",
"sdb:Get*",
"sdb:List*",
"sdb:Select*",
"secretsmanager:List*",
"secretsmanager:Describe*",
"secretsmanager:GetResourcePolicy",
"securityhub:Describe*",
"securityhub:Get*",
"securityhub:List*",
"serverlessrepo:List*",
"serverlessrepo:Get*",
"serverlessrepo:SearchApplications",
"servicecatalog:Describe*",
"servicecatalog:GetApplication",
"servicecatalog:GetAttributeGroup",
"servicecatalog:List*",
"servicecatalog:Scan*",
"servicecatalog:Search*",
"servicediscovery:Get*",
"servicediscovery:List*",
"servicequotas:GetAssociationForServiceQuotaTemplate",
"servicequotas:GetAWSDefaultServiceQuota",
"servicequotas:GetRequestedServiceQuotaChange",
"servicequotas:GetServiceQuota",
"servicequotas:GetServiceQuotaIncreaseRequestFromTemplate",
"servicequotas:ListAWSDefaultServiceQuotas",
"servicequotas:ListRequestedServiceQuotaChangeHistory",
"servicequotas:ListRequestedServiceQuotaChangeHistoryByQuota",
"servicequotas:ListServices",
"servicequotas:ListServiceQuotas",
"servicequotas:ListServiceQuotaIncreaseRequestsInTemplate",
"ses:Get*",
"ses:List*",
"ses:Describe*",
"shield:Describe*",
"shield:Get*",
"shield:List*",
"signer:DescribeSigningJob",
"signer:GetSigningPlatform",
"signer:GetSigningProfile",
"signer:ListSigningJobs",
"signer:ListSigningPlatforms",
"signer:ListSigningProfiles",
"signer:ListTagsForResource",
"snowball:Get*",
"snowball:Describe*",
"snowball:List*",
"sns:Get*",
"sns:List*",
"sns:Check*",
"sqs:Get*",
"sqs:List*",
"sqs:Receive*",
"ssm:Describe*",
"ssm:Get*",
"ssm:List*",
"sso:Get*",
"sso:Describe*",
"sso:List*",
"sso:Search*",
"sso-directory:Describe*",
"sso-directory:List*",
"sso-directory:Search*",
"states:List*",
"states:Describe*",
"states:GetExecutionHistory",
"storagegateway:Describe*",
"storagegateway:List*",
"sts:GetAccessKeyInfo",
"sts:GetCallerIdentity",
"sts:GetSessionToken",
"swf:Count*",
"swf:Describe*",
"swf:Get*",
"swf:List*",
"synthetics:Describe*",
"synthetics:Get*",
"synthetics:List*",
"tag:Get*",
"transfer:Describe*",
"transfer:List*",
"transfer:TestIdentityProvider",
"transcribe:Get*",
"transcribe:List*",
"trustedadvisor:Describe*",
"waf:Get*",
"waf:List*",
"wafv2:CheckCapacity",
"wafv2:Describe*",
"wafv2:Get*",
"wafv2:List*",
"waf-regional:List*",
"waf-regional:Get*",
"workdocs:Describe*",
"workdocs:Get*",
"workdocs:CheckAlias",
"worklink:Describe*",
"worklink:List*",
"workmail:Describe*",
"workmail:Get*",
"workmail:List*",
"workmail:Search*",
"workspaces:Describe*",
"xray:BatchGet*",
"xray:Get*"
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestedRegion": "us-east-1"
}
}
}
]
}
如果您知道将所有 3 个要点结合起来的最聪明的方法,我很想收到您的来信。谢谢!
我想阻止所有用户访问几乎所有 aws 区域。您不能“禁用”默认启用的区域。我也知道帐户级别的权限,不能在区域内受到限制。
我不想为每个用户/角色/组添加这样的策略
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestedRegion": [
"eu-west-1",
"eu-west-2",
"eu-west-3"
]
}
}
}
]
}
你不能嵌套组。所以我不能有一个顶级组,我把所有其他组都放在里面有这个政策。
您不能将角色添加到组。因此,对于我的无服务器应用程序的SAM 模板,我是否必须将此策略添加到所有这些模板?他们为每个应用程序动态创建一个独特的角色和策略(我想保持这种方式)
有没有办法为账户中的所有用户和角色强制执行策略?我一定错过了一些东西,因为这似乎是一个需要管理的皮塔饼。
在 Active Directory 中,我们可以轻松地在 OU/domain/site/etc 级别应用策略。感觉就像是安全和身份平台的基本功能
有没有办法在我的 AWS 组织级别应用此策略?
我们有一个业务需求,其中删除 AWS 账户中的资源需要 2 个用户的批准——可能是管理员和经理。
似乎没有一种直接的、开箱即用的方法来做到这一点。
我们可以通过几种手动处理方法来管理问题
- 删除资源的权限将只提供给经理 - 从技术上讲,他不知道如何删除资源。管理员将与管理员共享屏幕,管理员将删除该资源。
- 超级管理员授予管理员临时删除资源的基于时间的权限
除此之外,是否可以自动强制要求 2 个用户删除一个资源?
具体来说,我们可以使用 iam 条件键在策略中要求 2 个用户的 mfa 吗?
我使用 AWS Secrets Manager 来存储我需要从我的 EC2 实例中启动的服务中读取的密码。
为了做到这一点,我考虑在哪里创建一个可以访问 Secrets Manager 并将其附加到我想从中读取秘密的实例的角色。但是,当我尝试创建角色时,我找不到 Secrets Manager 服务。
另一种解决方案可能是存储可以在 EC2 实例中访问该服务的用户的访问密钥和密钥,但我不喜欢该解决方案,因为我不希望在实例中存储这种类型的密钥。
任何想法来创建我谈论的角色或任何其他解决方案?
非常感谢
我有一个客户,他允许我通过 IAM 访问我的电子邮件到他的 AWS 账户。
我已经成功登录,然后以 IAM 用户的身份向他的账户提供一个 EC2 实例。
但是客户端没有以 root 用户身份看到他身边的实例。
可能的问题是什么?
喜欢我的 clint aws 帐户电子邮件[email protected]
和我的电子邮件[email protected]
客户给了我 IAM 访问他的 aws 帐户的权限,我的邮件[email protected]和 lucnh EC2 实例就在我身边。
但是客户没有看到我在他的帐户上吃午饭的时间,客户以root用户身份登录,因为他是该帐户的所有者,并说谎[email protected]
我是 AWS 新手,在这种情况下有人可以帮助我吗?
概括
我正在尝试使用 Kubeadm 在 AWS 上引导 Kubernetes 集群。请在您提出建议之前,我对使用 EKS 或其他引导解决方案(如 Kops、Kubespray 等)不感兴趣。
似乎有很多关于正确程序的不准确信息,这是由于云提供商集成不是在树外而不是树内管理的分裂。因此,我一直在努力弄清楚如何正确设置此集成。
要求
官方回购指出了三个要求。
1) 您必须使用参数初始化kubelet、kube-apiserver和。如果我理解正确,这允许您使用 out of tree 提供程序。在这里使用将使用在弃用时间表上的树内提供程序。kube-controller-manager--cloud-provider=externalaws
2) 您必须创建两个 IAM 策略,将它们与 IAM 实例配置文件关联,并启动附加了所述策略的 Kubernetes 节点。
3) 集群中的每个节点必须具有与底层 EC2 实例关联的相同主机名作为其Private DNS名称。
除此之外,我相信曾经需要将以下标签附加到您的 EC2 实例、路由表、安全组和子网。我也做了很好的措施:
"kubernetes.io/cluster/${var.K8S_CLUSTER_NAME}" = "kubernetes.io/cluster/${var.K8S_CLUSTER_NAME}"
问题
然而,尽管如此,当我的工作节点在引导后上线时,它们应用了以下污点:
node.cloudprovider.kubernetes.io/uninitialized: true
这显然意味着节点尚未由云提供商初始化。我真的不知道从这里去哪里。有一个关于如何使用云提供商与 AWS 集成的额外说明的公开请求,但目前不满意。
我的配置
您可能已经注意到我在该问题上发表了评论,并详细说明了我的问题。这是我的环境详细信息的摘要,表明我应该符合列出的要求。
1) 我的 Kubeadm 配置文件将云提供商设置为external四个地方
KubeletConfiguration 和 InitConfiguration
nodeRegistration:
kubeletExtraArgs:
cloud-provider: external
集群配置
apiServer:
extraArgs:
cloud-provider: external
集群配置
controllerManager:
extraArgs:
cloud-provider: external
2) 我的 EC2 实例是使用带有自述文件中概述的 IAM 策略的实例配置文件启动的:
$> aws ec2 describe-instances --instance-ids INSTANCE.ID | jq '.Reservations[].Instances[].IamInstanceProfile[]'
"arn:aws-us-gov:iam::ACCOUNT.ID:instance-profile/PROFILE-NAME"
3) 主机名是 EC2 私有 DNS 名称:
$> hostname -f
ip-10-0-10-91.us-gov-west-1.compute.internal
4) EC2 实例以及我的路由表、子网等标记为:
"kubernetes.io/cluster/${var.K8S_CLUSTER_NAME}" = "kubernetes.io/cluster/${var.K8S_CLUSTER_NAME}"
结果,看起来我符合所有要求,所以我不确定为什么我的节点仍然带有那个污点。任何帮助将不胜感激!
编辑
我已将每个实例上的标签更新为:
"kubernetes.io/cluster/${var.K8S_CLUSTER_NAME}" = "owned"
并将此标签添加到每个子网:
"kubernetes.io/role/internal-elb" = 1
然而,这并没有解决问题。
编辑 2
其他地方的用户建议问题可能是我没有应用repo清单目录中存在的 RBAC 和 DaemonSet 资源cloud-provider-aws。使用此图像执行此操作后,我可以确认这并没有解决我的问题,因为根据 Pod 在启动时生成的日志,aws-cloud-controller-manager似乎期望您使用not external`:aws
Generated self-signed cert in-memory
Neither --kubeconfig nor --master was specified. Using the inClusterConfig. This might not work.
Version: v0.0.0-master+$Format:%h$
WARNING: aws built-in cloud provider is now deprecated. The AWS provider is deprecated and will be removed in a future release
Building AWS cloudprovider
Zone not specified in configuration file; querying AWS metadata service
Cloud provider could not be initialized: could not init cloud provider "aws": clusterID tags did not match: "example-14150" vs "True"
编辑 3
我使用提交时的 repo 构建了一个新图像6a14c81。可以在这里找到。aws默认情况下似乎也使用提供程序?
Cloud provider could not be initialized: could not init cloud provider "aws": clusterID tags did not match: "example-14150" vs "True"