将AWS Elastic Beanstalk IAM角色限制为一个应用程序的完全访问权限

时间:2016-12-08 12:23:02

标签: amazon-web-services amazon-ec2 elastic-beanstalk roles amazon-iam

我正在尝试授予IAM密码用户对Elastic Beanstalk应用程序(创建/修改/删除环境)的完全访问权限。遵循AWS文档here会导致用户能够查看应用程序但无法查看环境或创建新环境(消息:拒绝访问,无需进一步说明)。

以下是附加的当前政策:

{
"Version": "XXX-XX-XX",
"Statement": [
    {
        "Sid": "StmtXXXXXXXXX",
        "Effect": "Allow",
        "Action": [
            "elasticbeanstalk:*",
            "autoscaling:*"
        ],
        "Resource": [
            "arn:aws:elasticbeanstalk:eu-west-1:<accountId>:application/<app-name>",
            "arn:aws:elasticbeanstalk:eu-west-1:<accountId>:applicationversion/<app-name>",
            "arn:aws:elasticbeanstalk:eu-west-1:<accountId>:environment/<app-name>/*",
            "arn:aws:elasticbeanstalk:us-west-1::solutionstack/*"
        ]
    },
    {
        "Action": [
            "elasticbeanstalk:CheckDNSAvailability",
            "elasticbeanstalk:CreateStorageLocation",
            "autoscaling:DescribeAutoScalingGroups"
        ],
        "Effect": "Allow",
        "Resource": "*"
    }
]

}

有没有人这样做过?

1 个答案:

答案 0 :(得分:1)

这就是我使用的。我无法被要求进一步分离它。您也可以使用标签。

我所做的更多是在不同的帐户中运行越来越多的东西。如果有单独的应用程序,那么很少或没有理由将它们放在同一个帐户中。您可以为用户提供跨帐户访问权限。 https://aws.amazon.com/blogs/security/how-to-enable-cross-account-access-to-the-aws-management-console/

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:Describe*",
                "elasticloadbalancing:Describe*",
                "autoscaling:Describe*",
                "cloudwatch:Describe*",
                "cloudwatch:List*",
                "cloudwatch:Get*",
                "s3:Get*",
                "s3:List*",
                "sns:Get*",
                "sns:List*",
                "cloudformation:Describe*",
                "cloudformation:Get*",
                "cloudformation:List*",
                "cloudformation:Validate*",
                "cloudformation:Estimate*",
                "rds:Describe*",
                "elasticbeanstalk:CreateStorageLocation",
                "sqs:Get*",
                "sqs:List*",
                "autoscaling:SuspendProcesses",
                "autoscaling:ResumeProcesses",
                "autoscaling:UpdateAutoScalingGroup",
                "autoscaling:DescribeAutoScalingGroups",
                "cloudformation:UpdateStack",
                "cloudformation:DescribeStacks",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:RevokeSecurityGroupIngress",
                "s3:PutObject",
                "s3:DeleteObject",
                "s3:PutObjectAcl"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
                "elasticloadbalancing:DeregisterInstancesFromLoadBalancer"
            ],
            "Resource": [
                "arn:aws:elasticloadbalancing:eu-west-1:12345678910:loadbalancer/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "elasticbeanstalk:Check*",
                "elasticbeanstalk:Describe*",
                "elasticbeanstalk:List*",
                "elasticbeanstalk:RequestEnvironmentInfo",
                "elasticbeanstalk:RetrieveEnvironmentInfo",
                "elasticbeanstalk:CreateApplicationVersion",
                "elasticbeanstalk:CreateConfigurationTemplate",
                "elasticbeanstalk:UpdateApplicationVersion",
                "elasticbeanstalk:UpdateConfigurationTemplate",
                "elasticbeanstalk:UpdateEnvironment",
                "elasticbeanstalk:DescribeEnvironmentResources",
                "elasticbeanstalk:ValidateConfigurationSettings"
            ],
            "Resource": [
                "*"
            ],
            "Condition": {
                "StringEquals": {
                    "elasticbeanstalk:InApplication": [
                        "arn:aws:elasticbeanstalk:eu-west-1:12345678910:application/My App"
                    ]
                }
            }
        }
    ]
}