[英]AWS IAM policy to restrict access to specific ec2 instances via ec2-instance-connect
我正在創建一個 IAM 策略來授予第三方開發人員訪問權限,以便他們可以通過 ec2-instance-connect 連接到私有子網中的 EC2 實例。
開發人員應僅通過 ec2-connect 連接到特定實例。 我如何才能實施該政策?
我的政策如下:
AWSTemplateFormatVersion: 2010-09-09
Description: Template for API functionality xxxxx
Metadata:
'AWS::CloudFormation::Interface':
ParameterGroups:
- Label:
default: Environment basic parameters
Parameters:
- Env
- AccountID
ParameterLabels:
Env:
default: Environment ID
AccountID:
default: Account ID
Parameters:
Env:
Description: Unique environment.
Type: String
Default: lab
AccountID:
Description: Account ID.
Type: String
Default: 11113333444455
Resources:
SiteManagementRole:
Type: 'AWS::IAM::Role'
Properties:
RoleName: !Sub 'Role-${Env}'
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Sid: default
Effect: Allow
Principal:
AWS: !Sub 'arn:aws:iam::${AccountID}:root'
Action: 'sts:AssumeRole'
Path: /
Policies:
- PolicyName: !Sub 'Policy-${Env}'
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: VisualEditor0
Effect: Allow
Action:
- 'ec2-instance-connect:SendSSHPublicKey'
Resource: '*'
- Sid: VisualEditor1
Effect: Allow
Action:
- 'ec2:DescribeImages'
- 'ec2:DescribeInstances'
- 'ec2:DescribeTags'
- 'ec2:DescribeInstanceAttribute'
- 'ec2:DescribeInstanceTypes'
- 'ec2:DescribeInstanceStatus'
Resource: '*'
# Condition:
# StringEquals:
# 'ec2:ResourceTag/Env': !Sub '${Env}'
- Sid: VisualEditor2
Effect: Allow
Action:
- 'logs:ListTagsLogGroup'
- 'logs:GetLogRecord'
- 'logs:DescribeLogGroups'
- 'logs:DescribeLogStreams'
- 'logs:StartQuery'
- 'logs:StopQuery'
- 'logs:TestMetricFilter'
- 'logs:GetLogDelivery'
- 'logs:GetQueryResults'
- 'logs:GetLogEvents'
- 'logs:FilterLogEvents'
- 'logs:GetLogGroupFields'
Resource: '*'
我需要根據標簽應用訪問限制,但應該有更好的方法來限制開發人員連接到特定實例。
這里:
Action:
- 'ec2-instance-connect:SendSSHPublicKey'
Resource: '*' <---I dont want it to be *
請幫忙。
提前致謝
從設置 EC2 實例連接 - Amazon Elastic Compute Cloud :
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2-instance-connect:SendSSHPublicKey",
"Resource": [
"arn:aws:ec2:region:account-id:instance/i-1234567890abcdef0",
"arn:aws:ec2:region:account-id:instance/i-0598c7d356eba48d7"
],
"Condition": {
"StringEquals": {
"ec2:osuser": "ami-username"
}
}
}
]
}
上述政策將限制對特定實例和特定用戶名的訪問。 我不確定是否可以通過 Tag 識別實例。 你需要做一些實驗。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.