用于将用户限制为特定 VPC 中的实例的 IAM 策略
IAM policy to restrict users to instances in a specific VPC
我正在尝试创建一个 IAM policy 来限制用户访问特定 VPC 中的所有实例。遵循我制定的政策但没有奏效。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1450441260778",
"Action": "ec2:*",
"Effect": "Allow",
"Resource": "arn:aws:ec2:region:Account_num:vpc/vpc-id"
}
]
}
我在policy里填了对应的account_num和vpc-id
您想限制用户访问,并且您使用了 allow 属性,该属性将授予访问实例的权限。这是期望的行为吗?
如果您真的想限制尝试 "Effect": "Deny" 相同的政策。
但是,如果您想向某些用户授予访问权限,请按以下步骤操作。
在这种情况下,以下政策对我很有效。我用它来为开发人员限制访问以启动停止实例。您可以在第二个块中添加任意数量的权限。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:DescribeInstances*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:StartInstances*",
"ec2:StopInstances*"
],
"Resource": "arn:aws:ec2:ap-southeast-1:ACCOUNT_ID:instance/i-32ds2a29"
}
]
}
ap-southeast-1 是我的案例所在的区域。
要控制特定 vpc 中的实例,您可以简单地使用它的 id。vpc+instance_id 没有单独的 arn,您可以使用 arn:aws:ec2:region:account-id:instance/instance-id 作为 arn refer this 。
同样,您可以使用相同的策略来限制特定 vpc 中的用户,方法是使用 arn:aws:ec2:region:account-id:vpc/vpc-id 作为 arn,添加 Action ec2:* 和 deny in effect 。
有些权限无法应用于特定资源。当您在 IAM 中检查策略时,这些权限将显示错误。
为了将用户限制到特定的 VPC 并允许所有 EC2 操作,以下策略可以帮助您实现这一点:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "NonResourceBasedReadOnlyPermissions",
"Action": [
"ec2:Describe*",
"ec2:CreateKeyPair",
"ec2:CreateSecurityGroup",
"iam:GetInstanceProfiles",
"iam:ListInstanceProfiles"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "IAMPassroleToInstance",
"Action": [
"iam:PassRole"
],
"Effect": "Allow",
"Resource": "arn:aws:iam::123456789012:role/VPCLockDown"
},
{
"Sid": "AllowInstanceActions",
"Effect": "Allow",
"Action": [
"ec2:RebootInstances",
"ec2:StopInstances",
"ec2:TerminateInstances",
"ec2:StartInstances",
"ec2:AttachVolume",
"ec2:DetachVolume"
],
"Resource": "arn:aws:ec2:us-east-1:123456789012:instance/*",
"Condition": {
"StringEquals": {
"ec2:InstanceProfile": "arn:aws:iam::123456789012:instance-profile/VPCLockDown"
}
}
},
{
"Sid": "EC2RunInstances",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:us-east-1:123456789012:instance/*",
"Condition": {
"StringEquals": {
"ec2:InstanceProfile": "arn:aws:iam::123456789012:instance-profile/VPCLockDown"
}
}
},
{
"Sid": "EC2RunInstancesSubnet",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:us-east-1:123456789012:subnet/*",
"Condition": {
"StringEquals": {
"ec2:vpc": "arn:aws:ec2:us-east-1:123456789012:vpc/vpc-7bcd371e"
}
}
},
{
"Sid": "RemainingRunInstancePermissions",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:us-east-1:123456789012:volume/*",
"arn:aws:ec2:us-east-1::image/*",
"arn:aws:ec2:us-east-1::snapshot/*",
"arn:aws:ec2:us-east-1:123456789012:network-interface/*",
"arn:aws:ec2:us-east-1:123456789012:key-pair/*",
"arn:aws:ec2:us-east-1:123456789012:security-group/*"
]
},
{
"Sid": "EC2VpcNonresourceSpecificActions",
"Effect": "Allow",
"Action": [
"ec2:DeleteNetworkAcl",
"ec2:DeleteNetworkAclEntry",
"ec2:DeleteRoute",
"ec2:DeleteRouteTable",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:DeleteSecurityGroup"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:vpc": "arn:aws:ec2:us-east-1:123456789012:vpc/vpc-7bcd371e"
}
}
}
]
}
为了详细了解每条语句的作用,我建议阅读 AWS 的 this blog。该政策允许用户:
- 登录 AWS 管理控制台并转到 Amazon EC2 控制台。
- 启动 EC2 实例,只要它们:
Specify a subnet in the proper VPC.
Specify the allowed instance profiles.
- Start/stop/reboot/terminate/attach volume/detach 实例上的卷,只要它们:
Specify an instance launched with the proper instance profiles.
- 删除安全组、路由、路由表、网络 ACL 和 ACL 条目,以及授权和撤销安全组入口和出口规则,只要它们位于正确的 VPC 中。
我正在尝试创建一个 IAM policy 来限制用户访问特定 VPC 中的所有实例。遵循我制定的政策但没有奏效。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1450441260778",
"Action": "ec2:*",
"Effect": "Allow",
"Resource": "arn:aws:ec2:region:Account_num:vpc/vpc-id"
}
]
}
我在policy里填了对应的account_num和vpc-id
您想限制用户访问,并且您使用了 allow 属性,该属性将授予访问实例的权限。这是期望的行为吗?
如果您真的想限制尝试 "Effect": "Deny" 相同的政策。
但是,如果您想向某些用户授予访问权限,请按以下步骤操作。
在这种情况下,以下政策对我很有效。我用它来为开发人员限制访问以启动停止实例。您可以在第二个块中添加任意数量的权限。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:DescribeInstances*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:StartInstances*",
"ec2:StopInstances*"
],
"Resource": "arn:aws:ec2:ap-southeast-1:ACCOUNT_ID:instance/i-32ds2a29"
}
]
}
ap-southeast-1 是我的案例所在的区域。
要控制特定 vpc 中的实例,您可以简单地使用它的 id。vpc+instance_id 没有单独的 arn,您可以使用 arn:aws:ec2:region:account-id:instance/instance-id 作为 arn refer this 。
同样,您可以使用相同的策略来限制特定 vpc 中的用户,方法是使用 arn:aws:ec2:region:account-id:vpc/vpc-id 作为 arn,添加 Action ec2:* 和 deny in effect 。
有些权限无法应用于特定资源。当您在 IAM 中检查策略时,这些权限将显示错误。
为了将用户限制到特定的 VPC 并允许所有 EC2 操作,以下策略可以帮助您实现这一点:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "NonResourceBasedReadOnlyPermissions",
"Action": [
"ec2:Describe*",
"ec2:CreateKeyPair",
"ec2:CreateSecurityGroup",
"iam:GetInstanceProfiles",
"iam:ListInstanceProfiles"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "IAMPassroleToInstance",
"Action": [
"iam:PassRole"
],
"Effect": "Allow",
"Resource": "arn:aws:iam::123456789012:role/VPCLockDown"
},
{
"Sid": "AllowInstanceActions",
"Effect": "Allow",
"Action": [
"ec2:RebootInstances",
"ec2:StopInstances",
"ec2:TerminateInstances",
"ec2:StartInstances",
"ec2:AttachVolume",
"ec2:DetachVolume"
],
"Resource": "arn:aws:ec2:us-east-1:123456789012:instance/*",
"Condition": {
"StringEquals": {
"ec2:InstanceProfile": "arn:aws:iam::123456789012:instance-profile/VPCLockDown"
}
}
},
{
"Sid": "EC2RunInstances",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:us-east-1:123456789012:instance/*",
"Condition": {
"StringEquals": {
"ec2:InstanceProfile": "arn:aws:iam::123456789012:instance-profile/VPCLockDown"
}
}
},
{
"Sid": "EC2RunInstancesSubnet",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:us-east-1:123456789012:subnet/*",
"Condition": {
"StringEquals": {
"ec2:vpc": "arn:aws:ec2:us-east-1:123456789012:vpc/vpc-7bcd371e"
}
}
},
{
"Sid": "RemainingRunInstancePermissions",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:us-east-1:123456789012:volume/*",
"arn:aws:ec2:us-east-1::image/*",
"arn:aws:ec2:us-east-1::snapshot/*",
"arn:aws:ec2:us-east-1:123456789012:network-interface/*",
"arn:aws:ec2:us-east-1:123456789012:key-pair/*",
"arn:aws:ec2:us-east-1:123456789012:security-group/*"
]
},
{
"Sid": "EC2VpcNonresourceSpecificActions",
"Effect": "Allow",
"Action": [
"ec2:DeleteNetworkAcl",
"ec2:DeleteNetworkAclEntry",
"ec2:DeleteRoute",
"ec2:DeleteRouteTable",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:DeleteSecurityGroup"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:vpc": "arn:aws:ec2:us-east-1:123456789012:vpc/vpc-7bcd371e"
}
}
}
]
}
为了详细了解每条语句的作用,我建议阅读 AWS 的 this blog。该政策允许用户:
- 登录 AWS 管理控制台并转到 Amazon EC2 控制台。
- 启动 EC2 实例,只要它们:
Specify a subnet in the proper VPC. Specify the allowed instance profiles.
- Start/stop/reboot/terminate/attach volume/detach 实例上的卷,只要它们:
Specify an instance launched with the proper instance profiles.
- 删除安全组、路由、路由表、网络 ACL 和 ACL 条目,以及授权和撤销安全组入口和出口规则,只要它们位于正确的 VPC 中。