我想创建一个策略,允许IAM用户或角色创建一组资源(例如EC2实例),然后仅管理(删除,更新等)这些资源。我希望我可以使用IAM变量,通配符和/或条件来实现这一点,但我不确定如何。
我的政策看起来像这样理想
{
"Effect": "Allow",
"Action": [
"ec2:*"
],
"Condition": [
{ "Created_By_The_Instance_Profile_In_The_CFN_Stack_That_Created_The_EC2Instance}" }
]
}
此外,如果我想授予EC2实例配置文件来执行ssm:如果在与EC2实例本身相同的堆栈中创建的SSM文档的CreateAssociation,该怎么办?换句话说,我有一个带有EC2实例的堆栈,IAM实例配置文件,一个IAM角色和一个SSM文档,我希望通过UserData在启动时将EC2实例创建为CreateAssociation。启动堆栈的用户应该有权创建这些资源,但不能创建新策略(有效地使他们成为管理员)。我想提前创建一个角色+策略,并授予堆栈创建者将此角色附加到它创建的IAM实例配置文件角色的能力。
所以,提前,我(管理员),创建一个政策和角色
"DeployerRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"ec2.amazonaws.com",
"lambda.amazonaws.com"
],
"AWS": "*"
},
"Action": [
"sts:AssumeRole"
]
}
]
}
}
},
"PolicyManagerPolicy": {
"Type": "AWS::IAM::ManagedPolicy",
"Properties": {
"Description": "Allows CFN deployer to attach and detach required policies.",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:AttachRolePolicy",
"iam:DetachRolePolicy"
],
"Resource": "*",
"Condition": {
"ArnEquals": {
"iam:PolicyArn": [
"The_Policy_Arn_I_Want_To_Create"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"iam:CreateRole"
],
"Resource": "*"
}
]
},
"Roles": [ { "Ref": "DeployerRole" } ]
}
}
"限制管理员" deployer(DeployerRole中的IAM用户)应该能够启动包含以下内容的堆栈:
我需要The_Policy_Arn_I_Want_To_Create来:
答案 0 :(得分:1)
ec2不知道创建该实例的帐户(如果启用CloudTrail,您可能会这样做),可能会在您使用用户帐户创建ec2实例时对其进行标记,然后从您的策略中读取该实例
"Condition": {"StringEquals": {"ec2:ResourceTag/<tag where the username will be>": "${aws:username}"