小贝子编程

Amazon EC2 IAM Policy:仅限修改单个安全组



我正在尝试在亚马逊AWS中创建一个IAM策略,该策略将允许访问查看或编辑/修改单个安全组。我遵循了AWS文档,但未能成功地使此策略工作。创建的策略如下:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt123456789123",
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeSecurityGroups",
                "ec2:*"
            ],
            "Resource": [
                "arn:aws:ec2:us-east-1:000000000000:security-group/sg-a123a1a1"
            ]
        }
    ]
}

是的,我确实意识到我有一个多余的操作,但我注意到你可以指定描述安全组,但没有修改选项;因此,"*"是我唯一的选择;值得庆幸的是,资源应该允许我将此操作限制为单个安全组。

这是部分可能的,请参阅https://serverfault.com/questions/575487/use-iam-to-allow-user-to-edit-aws-ec2-security-groups,实际上可以将编辑限制为仅一个组,但我没有得到仅一个组的列表:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1413232782000",
            "Effect": "Allow",
            "Action": [               
                "ec2:DescribeInstanceAttribute",
                "ec2:DescribeInstanceStatus",
                "ec2:DescribeInstances",
                "ec2:DescribeNetworkAcls",
                "ec2:DescribeSecurityGroups"              
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1413232782001",
            "Effect": "Allow",
            "Action": [
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:AuthorizeSecurityGroupIngress",                
                "ec2:RevokeSecurityGroupEgress",
                "ec2:RevokeSecurityGroupIngress"
            ],
            "Resource": [
                "arn:aws:ec2:us-east-1:<accountid>:security-group/sg-<id>"
            ]
        }
    ]
}

这是我设法把它放在一起,它工作得很好!

创建以下策略,并将其添加到用户组中或创建一个用户组:

更新{括号}

中的项
    {
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "VisualEditor0",
        "Effect": "Allow",
        "Action": [
            "ec2:RevokeSecurityGroupIngress",
            "ec2:AuthorizeSecurityGroupEgress",
            "ec2:AuthorizeSecurityGroupIngress",
            "ec2:RevokeSecurityGroupEgress",
            "ec2:DeleteSecurityGroup"
        ],
        "Resource": "arn:aws:{REGION}:{ACCOUNT_NUMBER}:security-group/{NSG-ID}",
        "Condition": {
            "ArnEquals": {
                "ec2:Vpc": "arn:aws:ec2:{REGION}:{ACCOUNT_NUMBER}:vpc/{VPC-ID}"
            }
        }
    },
    {
        "Sid": "VisualEditor1",
        "Effect": "Allow",
        "Action": [
            "ec2:DescribeSecurityGroupReferences",
            "ec2:DescribeVpcs",
            "ec2:DescribeSecurityGroups",
            "ec2:DescribeStaleSecurityGroups"
        ],
        "Resource": "*"
    }
]

}

嗯,看起来代码格式化器不能正常工作,但你可以在这里阅读参考:https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_ec2_securitygroups-vpc.html

谢谢!

您可以向安全组添加像

这样的新规则
aws ec2 authorize-security-group-ingress --group-name MySecurityGroup --protocol tcp --port 3389 --cidr 203.0.113.0/24

也可以改变标签

相关内容

  • 没有找到相关文章

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium