我使用默认策略Amazonssmmaintainancewindowrole。在该策略中,我修改了ssm:SendCommand的权限,以限制对不起作用的特定EC2实例的访问。如果我将资源作为" *"对于ssm:SendCommand,它运行正常。请告诉我在限制访问方面我做错了什么。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "0",
"Effect": "Allow",
"Action": [
"ssm:GetAutomationExecution",
"ssm:GetParameters",
"ssm:ListCommands",
"ssm:StartAutomationExecution"
],
"Resource": [
"*"
]
},
{
"Sid": "1",
"Effect": "Allow",
"Action": [
"ssm:SendCommand"
],
"Resource": [
"arn:aws:ec2:eu-west-1:*:instance/myinstance-id",
"arn:aws:s3:::bucketname",
"arn:aws:ssm:us-east-1:*:document/AWS-ApplyPatchBaseline"
]
},
{
"Sid": "2",
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction"
],
"Resource": [
"arn:aws:lambda:*:*:function:SSM*",
"arn:aws:lambda:*:*:function:*:SSM*"
]
},
{
"Sid": "3",
"Effect": "Allow",
"Action": [
"states:DescribeExecution",
"states:StartExecution"
],
"Resource": [
"arn:aws:states:*:*:stateMachine:SSM*",
"arn:aws:states:*:*:execution:SSM*"
]
}
]
}