我正在尝试授予IAM密码用户对Elastic Beanstalk应用程序(创建/修改/删除环境)的完全访问权限。遵循AWS文档here会导致用户能够查看应用程序但无法查看环境或创建新环境(消息:拒绝访问,无需进一步说明)。
以下是附加的当前政策:
{
"Version": "XXX-XX-XX",
"Statement": [
{
"Sid": "StmtXXXXXXXXX",
"Effect": "Allow",
"Action": [
"elasticbeanstalk:*",
"autoscaling:*"
],
"Resource": [
"arn:aws:elasticbeanstalk:eu-west-1:<accountId>:application/<app-name>",
"arn:aws:elasticbeanstalk:eu-west-1:<accountId>:applicationversion/<app-name>",
"arn:aws:elasticbeanstalk:eu-west-1:<accountId>:environment/<app-name>/*",
"arn:aws:elasticbeanstalk:us-west-1::solutionstack/*"
]
},
{
"Action": [
"elasticbeanstalk:CheckDNSAvailability",
"elasticbeanstalk:CreateStorageLocation",
"autoscaling:DescribeAutoScalingGroups"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
有没有人这样做过?
答案 0 :(得分:1)
这就是我使用的。我无法被要求进一步分离它。您也可以使用标签。
我所做的更多是在不同的帐户中运行越来越多的东西。如果有单独的应用程序,那么很少或没有理由将它们放在同一个帐户中。您可以为用户提供跨帐户访问权限。 https://aws.amazon.com/blogs/security/how-to-enable-cross-account-access-to-the-aws-management-console/
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"elasticloadbalancing:Describe*",
"autoscaling:Describe*",
"cloudwatch:Describe*",
"cloudwatch:List*",
"cloudwatch:Get*",
"s3:Get*",
"s3:List*",
"sns:Get*",
"sns:List*",
"cloudformation:Describe*",
"cloudformation:Get*",
"cloudformation:List*",
"cloudformation:Validate*",
"cloudformation:Estimate*",
"rds:Describe*",
"elasticbeanstalk:CreateStorageLocation",
"sqs:Get*",
"sqs:List*",
"autoscaling:SuspendProcesses",
"autoscaling:ResumeProcesses",
"autoscaling:UpdateAutoScalingGroup",
"autoscaling:DescribeAutoScalingGroups",
"cloudformation:UpdateStack",
"cloudformation:DescribeStacks",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress",
"s3:PutObject",
"s3:DeleteObject",
"s3:PutObjectAcl"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer"
],
"Resource": [
"arn:aws:elasticloadbalancing:eu-west-1:12345678910:loadbalancer/*"
]
},
{
"Effect": "Allow",
"Action": [
"elasticbeanstalk:Check*",
"elasticbeanstalk:Describe*",
"elasticbeanstalk:List*",
"elasticbeanstalk:RequestEnvironmentInfo",
"elasticbeanstalk:RetrieveEnvironmentInfo",
"elasticbeanstalk:CreateApplicationVersion",
"elasticbeanstalk:CreateConfigurationTemplate",
"elasticbeanstalk:UpdateApplicationVersion",
"elasticbeanstalk:UpdateConfigurationTemplate",
"elasticbeanstalk:UpdateEnvironment",
"elasticbeanstalk:DescribeEnvironmentResources",
"elasticbeanstalk:ValidateConfigurationSettings"
],
"Resource": [
"*"
],
"Condition": {
"StringEquals": {
"elasticbeanstalk:InApplication": [
"arn:aws:elasticbeanstalk:eu-west-1:12345678910:application/My App"
]
}
}
}
]
}