IAM策略将用户限制为特定VPC中的实例

时间:2015-12-18 12:54:06

标签: amazon-web-services amazon-iam

我正在尝试IAM policy限制用户访问特定VPC中的所有实例。遵循我的政策,但没有工作。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1450441260778",
            "Action": "ec2:*",
            "Effect": "Allow",
            "Resource": "arn:aws:ec2:region:Account_num:vpc/vpc-id"
        }
    ]
}

我已在政策中填写相应的account_numvpc-id

1 个答案:

答案 0 :(得分:0)

某些权限无法应用于特定资源。当您在IAM中检查策略时,这些权限将显示错误。

为了将用户限制为特定的VPC并允许所有EC2操作,以下策略可以帮助您实现这一目标:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "NonResourceBasedReadOnlyPermissions",
        "Action": [
            "ec2:Describe*",
            "ec2:CreateKeyPair",
            "ec2:CreateSecurityGroup",
            "iam:GetInstanceProfiles",
            "iam:ListInstanceProfiles"
        ],
        "Effect": "Allow",
        "Resource": "*"
    },
    {
        "Sid": "IAMPassroleToInstance",
        "Action": [
            "iam:PassRole"
        ],
        "Effect": "Allow",
        "Resource": "arn:aws:iam::123456789012:role/VPCLockDown"
    },
    {
        "Sid": "AllowInstanceActions",
        "Effect": "Allow",
        "Action": [
            "ec2:RebootInstances",
            "ec2:StopInstances",
            "ec2:TerminateInstances",
            "ec2:StartInstances",
            "ec2:AttachVolume",
            "ec2:DetachVolume"
        ],
        "Resource": "arn:aws:ec2:us-east-1:123456789012:instance/*",
        "Condition": {
            "StringEquals": {
                "ec2:InstanceProfile": "arn:aws:iam::123456789012:instance-profile/VPCLockDown"
            }
        }
    },
    {
        "Sid": "EC2RunInstances",
        "Effect": "Allow",
        "Action": "ec2:RunInstances",
        "Resource": "arn:aws:ec2:us-east-1:123456789012:instance/*",
        "Condition": {
            "StringEquals": {
                "ec2:InstanceProfile": "arn:aws:iam::123456789012:instance-profile/VPCLockDown"
            }
        }
    },
    {
        "Sid": "EC2RunInstancesSubnet",
        "Effect": "Allow",
        "Action": "ec2:RunInstances",
        "Resource": "arn:aws:ec2:us-east-1:123456789012:subnet/*",
        "Condition": {
            "StringEquals": {
                "ec2:vpc": "arn:aws:ec2:us-east-1:123456789012:vpc/vpc-7bcd371e"
            }
        }
    },
    {
        "Sid": "RemainingRunInstancePermissions",
        "Effect": "Allow",
        "Action": "ec2:RunInstances",
        "Resource": [
            "arn:aws:ec2:us-east-1:123456789012:volume/*",
            "arn:aws:ec2:us-east-1::image/*",
            "arn:aws:ec2:us-east-1::snapshot/*",
            "arn:aws:ec2:us-east-1:123456789012:network-interface/*",
            "arn:aws:ec2:us-east-1:123456789012:key-pair/*",
            "arn:aws:ec2:us-east-1:123456789012:security-group/*"
        ]
    },
    {
        "Sid": "EC2VpcNonresourceSpecificActions",
        "Effect": "Allow",
        "Action": [
            "ec2:DeleteNetworkAcl",
            "ec2:DeleteNetworkAclEntry",
            "ec2:DeleteRoute",
            "ec2:DeleteRouteTable",
            "ec2:AuthorizeSecurityGroupEgress",
            "ec2:AuthorizeSecurityGroupIngress",
            "ec2:RevokeSecurityGroupEgress",
            "ec2:RevokeSecurityGroupIngress",
            "ec2:DeleteSecurityGroup"
        ],
        "Resource": "*",
        "Condition": {
            "StringEquals": {
                "ec2:vpc": "arn:aws:ec2:us-east-1:123456789012:vpc/vpc-7bcd371e"
            }
        }
    }
]
}

为了详细了解每个语句在做什么,我建议您从AWS阅读this blog。该政策允许用户:

  • 登录到AWS管理控制台,然后转到Amazon EC2控制台。
  • 启动EC2实例,只要它们:
      

    在适当的VPC中指定一个子网。   指定允许的实例配置文件。

  • 在实例上启动/停止/重新引导/终止/附加卷/分离卷,只要它们:
      

    指定使用适当的实例配置文件启动的实例。

  • 删除安全组,路由,路由表,网络ACL和ACL条目,以及授权和撤消安全组的进入和出口规则,只要它们在适当的VPC中即可。
相关问题
最新问题