如何限制AWS IAM用户能够执行" SSM运行命令"在特定的EC2服务器上

时间:2017-03-20 14:06:32

标签: amazon-web-services amazon-ec2 amazon-iam ssm

我正在尝试设置和分配策略,以便用户只能在授权或分配的EC2实例上触发AWS Systems Manager Services(SSM)运行命令。

要执行此操作,我按照https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sysman-configuring-access-iam-create.html的说明进行操作,并且根据它,我创建了以下自定义策略,仅为1个EC2实例提供配置访问权限:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "ssm:ListDocuments",
                "ssm:DescribeDocument*",
                "ssm:GetDocument",
                "ssm:DescribeInstance*"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": "ssm:SendCommand",
            "Effect": "Allow",
            "Resource": [
                "arn:aws:ec2:us-east-1:123456789012:instance/i-1234567890abcdef0",
                "arn:aws:s3:::test-ssm-logs/TESTSERV",
                "arn:aws:ssm:us-east-1:123456789012:document/AWS-RunPowerShellScript"
            ],
            "Condition": {
                "StringEquals": {
                    "ec2:ResourceTag/Name": "TESTSERV"
                }
            }
        },
        {
            "Action": [
                "ssm:CancelCommand",
                "ssm:ListCommands",
                "ssm:ListCommandInvocations"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": "ec2:DescribeInstanceStatus",
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

我将上述策略分配给测试用户后,当我使用它登录并导航到"运行命令"时,在目标实例下我也看到其他EC2实例,我甚至可以执行命令他们也是。用户不应该只看到上述策略中指定的1个实例吗?

我不明白我在这里做错了什么以及如何解决?感谢您的帮助。

谢谢!

我有以下IAM策略分配给我的所有EC2系统实例:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ssm:DescribeAssociation",
                "ssm:GetDeployablePatchSnapshotForInstance",
                "ssm:GetDocument",
                "ssm:GetParameters",
                "ssm:ListAssociations",
                "ssm:ListInstanceAssociations",
                "ssm:PutInventory",
                "ssm:UpdateAssociationStatus",
                "ssm:UpdateInstanceAssociationStatus",
                "ssm:UpdateInstanceInformation"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2messages:AcknowledgeMessage",
                "ec2messages:DeleteMessage",
                "ec2messages:FailMessage",
                "ec2messages:GetEndpoint",
                "ec2messages:GetMessages",
                "ec2messages:SendReply"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "cloudwatch:PutMetricData"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstanceStatus"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ds:CreateComputer",
                "ds:DescribeDirectories"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:DescribeLogGroups",
                "logs:DescribeLogStreams",
                "logs:PutLogEvents"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:AbortMultipartUpload",
                "s3:ListMultipartUploadParts",
                "s3:ListBucketMultipartUploads"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": "arn:aws:s3:::amazon-ssm-packages-*"
        }
    ]
}

此外,我已将以下IAM策略分配给测试用户,以便他们可以启动/停止/重新启动EC2实例:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ec2:Describe*",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:StartInstances",
                "ec2:StopInstances",
                "ec2:RebootInstances"
            ],
            "Resource": "arn:aws:ec2:us-east-1:123456789012:instance/i-1234567890abcdef0",
            "Condition": {
                "StringEquals": {
                    "ec2:ResourceTag/Name": "TESTSERV"
                }
            }
        }
    ]
}

1 个答案:

答案 0 :(得分:3)

我能够通过调整政策来完成这项工作:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "ssm:ListDocuments",
                "ssm:DescribeDocument*",
                "ssm:GetDocument",
                "ssm:DescribeInstance*"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": "ssm:SendCommand",
            "Effect": "Allow",
            "Resource": [
                "arn:aws:ec2:us-east-1:123456789012:instance/i-1234567890abcdef0",
                "arn:aws:s3:::nsight-ssm-logs/TESTSERV",
                "arn:aws:ssm:us-east-1::document/AWS-RunPowerShellScript"
            ]
        },
        {
            "Action": [
                "ssm:CancelCommand",
                "ssm:ListCommands",
                "ssm:ListCommandInvocations"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": "ec2:DescribeInstanceStatus",
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

我的要求是只允许执行PowerShell脚本,所以行:

  

“ARN:AWS:SSM:我们 - 东 - 1 ::文件/ AWS-RunPowerShellScript”

您可以将 AWS-RunPowerShellScript 替换为*以允许所有命令。

此外,EC2角色分配是必要的,因为没有它我在Run Command下看不到任何实例。

另请注意,用户将看到Run Command下的所有实例,但只能执行为其分配策略的EC2实例的命令,即用户帐户。我认为没有任何选择来压制这一点。

感谢您的贡献和有用的提示。

相关问题
最新问题