我正在尝试创建一个IAM policy,以限制用户访问特定VPC中的所有实例。遵循我制定的政策,但没有奏效。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1450441260778",
"Action": "ec2:*",
"Effect": "Allow",
"Resource": "arn:aws:ec2:region:Account_num:vpc/vpc-id"
}
]
}
我已在策略中填写了相应的account_num和vpc-id。
您想要限制用户访问权限,并且您已经使用了allow属性,该属性将授予访问实例的权限。这是想要的行为吗?
若您真的想限制,请尝试相同策略中的"Effect": "Deny"。
然而,如果你想让某些用户访问,下面是你可以做到的。
在这种情况下,以下政策对我很有效。我使用它来限制开发人员对实例的访问。您可以在第二个块中添加任意数量的权限。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:DescribeInstances*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:StartInstances*",
"ec2:StopInstances*"
],
"Resource": "arn:aws:ec2:ap-southeast-1:ACCOUNT_ID:instance/i-32ds2a29"
}
]
}
ap-southeast-1是我的案例所在的区域。要控制特定vpc中的实例,只需使用其id即可。vpc+instance_id没有单独的arn,而是可以使用arn:aws:ec2:region:account-id:instance/instance-id作为arn。
类似地,您可以使用相同的策略来限制特定vpc中的用户,方法是使用arn:aws:ec2:region:account-id:vpc/vpc-id作为arn,并添加有效的操作ec2:*和deny。
某些权限无法应用于特定资源。当您在IAM中检查策略时,这些权限将显示一个错误。
为了将用户限制到特定的VPC并允许所有EC2操作,以下策略可以帮助您实现这一点:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "NonResourceBasedReadOnlyPermissions",
"Action": [
"ec2:Describe*",
"ec2:CreateKeyPair",
"ec2:CreateSecurityGroup",
"iam:GetInstanceProfiles",
"iam:ListInstanceProfiles"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "IAMPassroleToInstance",
"Action": [
"iam:PassRole"
],
"Effect": "Allow",
"Resource": "arn:aws:iam::123456789012:role/VPCLockDown"
},
{
"Sid": "AllowInstanceActions",
"Effect": "Allow",
"Action": [
"ec2:RebootInstances",
"ec2:StopInstances",
"ec2:TerminateInstances",
"ec2:StartInstances",
"ec2:AttachVolume",
"ec2:DetachVolume"
],
"Resource": "arn:aws:ec2:us-east-1:123456789012:instance/*",
"Condition": {
"StringEquals": {
"ec2:InstanceProfile": "arn:aws:iam::123456789012:instance-profile/VPCLockDown"
}
}
},
{
"Sid": "EC2RunInstances",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:us-east-1:123456789012:instance/*",
"Condition": {
"StringEquals": {
"ec2:InstanceProfile": "arn:aws:iam::123456789012:instance-profile/VPCLockDown"
}
}
},
{
"Sid": "EC2RunInstancesSubnet",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:us-east-1:123456789012:subnet/*",
"Condition": {
"StringEquals": {
"ec2:vpc": "arn:aws:ec2:us-east-1:123456789012:vpc/vpc-7bcd371e"
}
}
},
{
"Sid": "RemainingRunInstancePermissions",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:us-east-1:123456789012:volume/*",
"arn:aws:ec2:us-east-1::image/*",
"arn:aws:ec2:us-east-1::snapshot/*",
"arn:aws:ec2:us-east-1:123456789012:network-interface/*",
"arn:aws:ec2:us-east-1:123456789012:key-pair/*",
"arn:aws:ec2:us-east-1:123456789012:security-group/*"
]
},
{
"Sid": "EC2VpcNonresourceSpecificActions",
"Effect": "Allow",
"Action": [
"ec2:DeleteNetworkAcl",
"ec2:DeleteNetworkAclEntry",
"ec2:DeleteRoute",
"ec2:DeleteRouteTable",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:DeleteSecurityGroup"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:vpc": "arn:aws:ec2:us-east-1:123456789012:vpc/vpc-7bcd371e"
}
}
}
]
}
为了详细了解每个语句的作用,我建议阅读AWS的这篇博客。此策略允许用户:
- 登录AWS管理控制台,然后转到Amazon EC2控制台
- 启动EC2实例,只要它们:
在适当的VPC中指定一个子网。指定允许的实例配置文件。
- 在实例上启动/停止/重新启动/终止/附加卷/分离卷,只要它们:
指定使用正确的实例配置文件启动的实例。
- 删除安全组、路由、路由表、网络ACL和ACL条目,以及授权和撤销安全组入口和出口规则,只要它们在适当的VPC中即可