我知道您可以设置IAM策略来限制对服务的访问。但是,是否可以设置一个策略来允许访问服务的一部分。
例如,我是两个EC2实例。我需要创建两个用户,这样他们就可以访问AWS控制台,但每个用户只能访问一个EC2实例。
是的,您可以使用EC2 的资源级别权限来执行此操作
资源的结构在文件中说明如下:
arn:aws:[service]:[region]:[account]:resourceType/resourcePath
以下是如何为每个用户构建IAM策略:
用户1
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "ec2:*",
"Resource": "arn:aws:ec2:us-east-1:123456789012:instance/InstanceIdOne"
}
]
}
用户2
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "ec2:*",
"Resource": "arn:aws:ec2:us-east-1:123456789012:instance/InstanceIdTwo"
}
]
}
没有访问EC2:DescriptionInstance的策略将不起作用。您需要允许DescribeInstances访问所有资源,并根据需要管理额外的访问权限,如修改、删除特定实例。
简而言之,允许所有用户进行所有基本操作,如描述标签、实例、网络ACL、图像等,并允许修改和删除等特定的破坏性操作来选择用户。
EC2操作列表供您参考http://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_Operations.html
所以你有两个选择-
-
创建一个策略,如下所示,并将相同的策略附加到两个用户
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "ec2:*Describe*", "Resource":"*", }, { "Effect": "Allow", "Action": [ "ec2:*Modify*", "ec2:*Delete*" ], "Principal": { "AWS": "arn:aws:iam::AWS-account-ID:user/**user-name-1**" }, "Resource": "arn:aws:ec2:us-east-1:AWS-account-ID:instance/**InstanceIdOne**" }, { "Effect": "Allow", "Action": [ "ec2:*Modify*", "ec2:*Delete*" ], "Principal": { "AWS": "arn:aws:iam::AWS-account-ID:user/**user-name-2**" }, "Resource": "arn:aws:ec2:us-east-1:AWS-account-ID:instance/**InstanceIdTwo**" } ]} -
创建2个不同的策略。低于的示例
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "ec2:*Describe*", "Resource":"*", }, { "Effect": "Allow", "Action": [ "ec2:*Modify*", "ec2:*Delete*" ], "Principal": { "AWS": "arn:aws:iam::AWS-account-ID:user/**user-name-1**" }, "Resource": "arn:aws:ec2:us-east-1:AWS-account-ID:instance/**InstanceIdOne**" } ]}