AWS IAM 策略通过 ec2-instance-connect 限制对特定 ec2 实例的访问
[英]AWS IAM policy to restrict access to specific ec2 instances via ec2-instance-connect
问题描述
I am creating a IAM policy to grant access to third party developers so that they can connect to EC2 instances in private subnet via ec2-instance-connect.
我正在创建一个 IAM 策略来授予第三方开发人员访问权限,以便他们可以通过 ec2-instance-connect 连接到私有子网中的 EC2 实例。
The developers should only connect to specific instances via ec2-connect.开发人员应仅通过 ec2-connect 连接到特定实例。 How I can implement the policy?我如何才能实施该政策?
My policy is below:我的政策如下:
AWSTemplateFormatVersion: 2010-09-09
Description: Template for API functionality xxxxx
Metadata:
'AWS::CloudFormation::Interface':
ParameterGroups:
- Label:
default: Environment basic parameters
Parameters:
- Env
- AccountID
ParameterLabels:
Env:
default: Environment ID
AccountID:
default: Account ID
Parameters:
Env:
Description: Unique environment.
Type: String
Default: lab
AccountID:
Description: Account ID.
Type: String
Default: 11113333444455
Resources:
SiteManagementRole:
Type: 'AWS::IAM::Role'
Properties:
RoleName: !Sub 'Role-${Env}'
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Sid: default
Effect: Allow
Principal:
AWS: !Sub 'arn:aws:iam::${AccountID}:root'
Action: 'sts:AssumeRole'
Path: /
Policies:
- PolicyName: !Sub 'Policy-${Env}'
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: VisualEditor0
Effect: Allow
Action:
- 'ec2-instance-connect:SendSSHPublicKey'
Resource: '*'
- Sid: VisualEditor1
Effect: Allow
Action:
- 'ec2:DescribeImages'
- 'ec2:DescribeInstances'
- 'ec2:DescribeTags'
- 'ec2:DescribeInstanceAttribute'
- 'ec2:DescribeInstanceTypes'
- 'ec2:DescribeInstanceStatus'
Resource: '*'
# Condition:
# StringEquals:
# 'ec2:ResourceTag/Env': !Sub '${Env}'
- Sid: VisualEditor2
Effect: Allow
Action:
- 'logs:ListTagsLogGroup'
- 'logs:GetLogRecord'
- 'logs:DescribeLogGroups'
- 'logs:DescribeLogStreams'
- 'logs:StartQuery'
- 'logs:StopQuery'
- 'logs:TestMetricFilter'
- 'logs:GetLogDelivery'
- 'logs:GetQueryResults'
- 'logs:GetLogEvents'
- 'logs:FilterLogEvents'
- 'logs:GetLogGroupFields'
Resource: '*'
I need to appy access restriction based on tags but there should be better way to do this which will restrict developers to connect to specific instances.我需要根据标签应用访问限制,但应该有更好的方法来限制开发人员连接到特定实例。
Here:这里:
Action:
- 'ec2-instance-connect:SendSSHPublicKey'
Resource: '*' <---I dont want it to be *
Please help.请帮忙。
Thanks in advance提前致谢
1 个解决方案
解决方案1
0 2020-04-11 02:55:06
From Set Up EC2 Instance Connect - Amazon Elastic Compute Cloud :从设置 EC2 实例连接 - Amazon Elastic Compute Cloud :
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2-instance-connect:SendSSHPublicKey",
"Resource": [
"arn:aws:ec2:region:account-id:instance/i-1234567890abcdef0",
"arn:aws:ec2:region:account-id:instance/i-0598c7d356eba48d7"
],
"Condition": {
"StringEquals": {
"ec2:osuser": "ami-username"
}
}
}
]
}
The above policy will restrict access to specific instances and specific usernames.上述政策将限制对特定实例和特定用户名的访问。 I'm not sure if the instances can be identified by Tag.我不确定是否可以通过 Tag 识别实例。 You'll need to do some experimenting.你需要做一些实验。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.