Question

我正在阅读包含以下内容的文档：

Select the checkbox next to the “AmazonEC2ReadOnlyAccess” policy (recommended) and click “Next Step”.
If a custom policy is created, “DescribeRegions” and “DescribeInstances” permissions are required.

我试图在这样的政策中表达：

{
   "Version": "2012-10-17",
   "Statement": [{
      "Effect": "Allow",
      "Action": [
         "ec2:DescribeInstances", "ec2:DescribeImages",
         "ec2:DescribeTags", "ec2:DescribeSnapshots"
      ],
      "Resource": "*"
   }
   ]
}

但我无法将AmazonEC2ReadOnlyAccess政策分解为ec2:*格式。

我看过这里：

http://docs.aws.amazon.com/search/doc-search.html?searchPath=documentation-guide&searchQuery=AmazonEC2ReadOnlyAccess&x=0&y=0&this_doc_product=AWS+Command+Line+Interface&this_doc_guide=User+Guide&doc_locale=en_us#facet_doc_product=AWS%20Command%20Line%20Interface&facet_doc_guide=User%20Guide

和EC2上的825页PDF：http://docs.aws.amazon.com/AWSEC2/latest/CommandLineReference/ec2-clt.pdf

还有其他建议吗？

Answer 1

使用AWS控制台，导航到IAM，然后导航到策略。搜索感兴趣的政策并单击它。这将带您进入描述策略的页面并提供等效的JSON。

AmazonEC2ReadOnlyAccess的等效JSON策略似乎是：

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ec2:Describe*",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "elasticloadbalancing:Describe*",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "cloudwatch:ListMetrics",
                "cloudwatch:GetMetricStatistics",
                "cloudwatch:Describe*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "autoscaling:Describe*",
            "Resource": "*"
        }
    ]
}

请注意，随着新功能/服务的添加，此政策可能会随时间而变化。这是考虑使用托管AWS策略而不是您自己的等价物的一个很好的理由。

AWS IAM术语映射文档

1 个答案: