堆栈内存溢出
  简体   繁体   English

使用实例配置文件分配角色与将 EC2 实例添加到信任关系

[英]Using Instance Profile to assign role vs. adding EC2 instance to trust relationship

 原文  2020-10-09 23:12:45       amazon-web-services/ amazon-ec2/ amazon-dynamodb/ amazon-iam

问题描述

We are newbies and learning AWS.我们是新手,正在学习 AWS。 So, please excuse our ignorance.所以,请原谅我们的无知。 We are creating a test environment to check how to allow least privilege access to, say, DynamoDB from EC2.我们正在创建一个测试环境,以检查如何允许从 EC2 对 DynamoDB 进行最低权限访问。

AWS documentation ( https://aws.amazon.com/blogs/security/how-to-use-trust-policies-with-iam-roles/ ) suggests a couple of options without highlighting which ones allow least privilege access: AWS 文档 ( https://aws.amazon.com/blogs/security/how-to-use-trust-policies-with-iam-roles/ ) 建议了几个选项,但没有强调哪些选项允许最低权限访问:

Step 1: Create a role with specific policy to allow access to DynamoDB.第 1 步:创建具有特定策略的角色以允许访问 DynamoDB。

Step 2: We are not sure whether we should:第 2 步:我们不确定是否应该:

  1. create an instance profile to assign this role to EC2.创建实例配置文件以将此角色分配给 EC2。 [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html] [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html]

OR要么

  1. Add EC2 to trust relationship policy to allow it to assume the role.将 EC2 添加到信任关系策略以允许其承担该角色。

Can someone please guide us on which of the above two options allows least privilege access for security purpose?有人可以指导我们出于安全目的,以上两个选项中的哪一个允许最低权限访问? We even checked security best practice @ https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html , and couldn't get a clear answer.我们甚至检查了安全最佳实践 @ https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html ,但无法得到明确的答案。

1 个解决方案

解决方案1
 1 已采纳  2020-10-09 23:17:14

If you create the instance role using IAM console , the instance profile is automatically created for you.如果您使用IAM 控制台创建实例角色,则会自动为您创建实例配置文件。 You don't have to do anything.您无需执行任何操作。 What's more, trust relationship will also be setup correctly .更重要的是,信任关系也将被正确设置。

Therefore, the only thing you have to do are to add permissions that you require for DynamoDB to the role, and later to add the role/instance profile to your instance when you create it, or later on after its been created.因此,您唯一需要做的就是将 DynamoDB 所需的权限添加到角色,然后在创建实例时或创建实例后将角色/实例配置文件添加到您的实例。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 使用 IAM 角色从 EC2 实例使用 kubectl 访问 EKS - Accessing EKS using kubectl from an EC2 instance using a IAM role 为没有弹性的 ec2 实例分配一个域名 IP - assign a domain name to ec2 instance w/o elastic IP 为 terraform 中的 ec2 实例分配固定私有 IP - Assign fixed private IP for ec2 instance in terraform 如何使用 Jenkinsfile 创建 EC2 实例 - How to create an EC2 Instance using Jenkinsfile NodeJS AWS SDK 无法从 EC2 实例对附加了实例配置文件的 SQS 进行 API 调用 - NodeJS AWS SDK unable to make API calls from EC2 Instance to SQS with Instance Profile Attached 使用 boto3 检查是否可以从另一个 ec2 实例访问一个 ec2 实例 - Using boto3 to check if you can reach one ec2 instance from another ec2 instance 如何连接EC2实例? - How to connect EC2 instance? 无法访问 EC2 实例 - Lost access to EC2 instance Amazon EC2 实例连接 - Amazon EC2 instance connect 如何使用 AWS CDK 将 EC2 卷附加到 EC2 实例 - How to attach an EC2 volume to an EC2 instance using AWS CDK
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM