AWS IAM EC2策略仅限于原始实例

时间:2019-03-15 15:13:18

标签: amazon-web-services amazon-ec2 amazon-iam

我正在进行设置,由于不活动(例如一段时间以来,Web服务器访问日志中没有新内容),因此我需要终止AWS实例。这些实例是测试实例,由CI / CD软件自动创建。

我希望这些实例表明自己已被抛弃并终止自己。我想为它们中的每一个分配一个通用的iam-role,它将只允许该实例本身终止,而不允许对等实例终止。

到目前为止,我到过这里: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ExamplePolicies_EC2.html https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#policy-vars-wheretouse https://www.reddit.com/r/aws/comments/4gglxk/iam_policy_to_allow_ec2_instance_to_only_query/ https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_iam_mfa-selfmanage.html

发现策略中有2个可用变量:

ec2-instance-id
ec2:SourceInstanceARN

我提出了一些角色策略的变体,但没有一个起作用:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "ec2:TerminateInstances",
            "Resource": "*",
            "Condition": {
                "ArnEquals": {
                    "ec2:SourceInstanceARN": "arn:aws:ec2:*:*:instance/${ec2-instance-id}"
                }
            }
        }
    ]
}
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "ec2:TerminateInstances",
            "Resource": "arn:aws:ec2:*:*:instance/${ec2-instance-id}"
        }
    ]
}
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "ec2:TerminateInstances",
            "Resource": "${ec2:SourceInstanceARN}"
        }
    ]
}

实际上是否有可能实现所需的行为,即仅允许实例对其自身执行特定操作(例如终止)?

更新:
我确实知道我可以使用标签,这就是我当时正在做的事情,但这意味着所有标记的实例都可以终止其对等实例。限制太宽松了,我想将其限制为实例

AWS IAM: Allow EC2 instance to stop itself
IAM policy to allow EC2 instance API access only to modify itself

1 个答案:

答案 0 :(得分:2)

您与condition关系密切。技巧是将实例ARN与ec2:sourceInstanceARN进行比较:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ec2:DeleteTags",
                "ec2:DescribeTags",
                "ec2:CreateTags",
                "ec2:TerminateInstances",
                "ec2:StopInstances"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:ARN": "${ec2:SourceInstanceARN}"
                }
            }
        }
    ]
}

很明显,出于测试目的,我允许具有此策略的实例标记并自行停止。