我正在寻找有关管理AWS Elastic Beanstalk应用程序的最佳实践的建议。
我有一个具有2个不同环境的应用程序,分别称为prod和dev。我想允许对所有协作者进行dev环境的部署,并将对prod的部署限制为仅一个用户。
最好的方法是什么?
答案 0 :(得分:2)
ElasticBeanstalk与IAM紧密集成。
允许或拒绝用户对特定资源执行特定操作可以通过将正确的策略附加到假定的角色上来实现。
The ElasticBeanstalk docs的特定部分说明了EB中的IAM权限,而页面上的最后一个示例实际上就是您要查找的内容。修改显示的策略以满足您的需求,并将其附加到您希望拒绝访问生产环境的用户或用户组。
您的政策将如下所示:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"elasticbeanstalk:CreateApplication",
"elasticbeanstalk:DeleteApplication"
],
"Resource": [
"*"
]
},
{
"Effect": "Deny",
"Action": [
"elasticbeanstalk:CreateApplicationVersion",
"elasticbeanstalk:CreateConfigurationTemplate",
"elasticbeanstalk:CreateEnvironment",
"elasticbeanstalk:DeleteApplicationVersion",
"elasticbeanstalk:DeleteConfigurationTemplate",
"elasticbeanstalk:DeleteEnvironmentConfiguration",
"elasticbeanstalk:DescribeApplicationVersions",
"elasticbeanstalk:DescribeConfigurationOptions",
"elasticbeanstalk:DescribeConfigurationSettings",
"elasticbeanstalk:DescribeEnvironmentResources",
"elasticbeanstalk:DescribeEnvironments",
"elasticbeanstalk:DescribeEvents",
"elasticbeanstalk:DeleteEnvironmentConfiguration",
"elasticbeanstalk:RebuildEnvironment",
"elasticbeanstalk:RequestEnvironmentInfo",
"elasticbeanstalk:RestartAppServer",
"elasticbeanstalk:RetrieveEnvironmentInfo",
"elasticbeanstalk:SwapEnvironmentCNAMEs",
"elasticbeanstalk:TerminateEnvironment",
"elasticbeanstalk:UpdateApplicationVersion",
"elasticbeanstalk:UpdateConfigurationTemplate",
"elasticbeanstalk:UpdateEnvironment",
"elasticbeanstalk:RetrieveEnvironmentInfo",
"elasticbeanstalk:ValidateConfigurationSettings"
],
"Resource": [
"arn:aws:elasticbeanstalk:us-east-1:123456789012:environment/Test/Test-env-prod"
]
}
]
}
以上策略将阻止具有此策略的任何用户创建或删除任何应用程序,并且进一步将拒绝该用户对列出的资源ARN完成任何列出的操作;名为Test的应用程序和名为Test-env-prod的环境。
要限制对特定环境的访问,可以使用此策略并修改ARN的region(us-east-1),account-number(123456789012),app-name(测试),和environment-name(Test-env-prod),以满足您的特定需求。
您可以找到ElasticBeanstalk资源ARN格式here的列表。