aws ssm:如果我限制对特定实例的访问,sendcommand不起作用

时间:2018-03-05 15:21:26

标签: amazon-web-services aws-ssm aws-ssm-document

我使用默认策略Amazonssmmaintainancewindowrole。在该策略中,我修改了ssm:SendCommand的权限,以限制对不起作用的特定EC2实例的访问。如果我将资源作为" *"对于ssm:SendCommand,它运行正常。请告诉我在限制访问方面我做错了什么。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "0",
            "Effect": "Allow",
            "Action": [
                "ssm:GetAutomationExecution",
                "ssm:GetParameters",
                "ssm:ListCommands",
                "ssm:StartAutomationExecution"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "1",
            "Effect": "Allow",
            "Action": [
                "ssm:SendCommand"
            ],
            "Resource": [
                "arn:aws:ec2:eu-west-1:*:instance/myinstance-id",
                "arn:aws:s3:::bucketname",
                "arn:aws:ssm:us-east-1:*:document/AWS-ApplyPatchBaseline"
            ]
        },
        {
            "Sid": "2",
            "Effect": "Allow",
            "Action": [
                "lambda:InvokeFunction"
            ],
            "Resource": [
                "arn:aws:lambda:*:*:function:SSM*",
                "arn:aws:lambda:*:*:function:*:SSM*"
            ]
        },
        {
            "Sid": "3",
            "Effect": "Allow",
            "Action": [
                "states:DescribeExecution",
                "states:StartExecution"
            ],
            "Resource": [
                "arn:aws:states:*:*:stateMachine:SSM*",
                "arn:aws:states:*:*:execution:SSM*"
            ]
        }
    ]
}

0 个答案:

没有答案