如何解决基于资源标签的运行命令、立即修补、放置参数和启动会话的 AWS IAM 策略
正如标题所暗示的那样,我正在努力开发一个 IAM 策略,该策略将完全基于附加到 EC2 的标签实现以下目标:
- 使用标签
env:staging按需修补 EC2, - 在带有
env:staging标签的 EC2 上运行远程命令(文档), - 在上述机器上启动 SSM 会话,
- 停止他们自己的会话,
- 从 Parameter Store 放置和获取参数 至少。
我正在尝试 2 项政策。使用策略 #1,我能够成功启动和停止会话,但无法修补 - 缺少更多的修补权限。使用策略 #2,我可以启动和停止会话,还可以运行命令并修补“所有”实例,包括带有其他标签或没有标签的实例。有人可以帮我改进上面 #1 的要求吗?
政策 #1
{
"Version": "2012-10-17","Statement": [
{
"Sid": "VisualEditor0","Effect": "Allow","Action": [
"ssm:GetConnectionStatus","ssm:ListCommands","ssm:DescribeSessions","ssm:ListAssociationVersions","ssm:GetInventory","ssm:DescribeInstanceinformation","ssm:DescribeParameters","ssm:DescribeMaintenanceWindows","kms:GenerateDataKey","ssm:GetInventorySchema","ssm:DescribeAssociationExecutions","ssm:ListDocuments","ssm:ListCommandInvocations","ssm:DescribeAvailablePatches","ssm:DescribeInstanceProperties"
],"Resource": "*"
},{
"Sid": "VisualEditor1","Action": "ssm:SendCommand","Resource": "arn:aws:ec2:*:*:instance/*","Condition": {
"StringLike": {
"ssm:resourceTag/env": "staging"
}
}
},{
"Sid": "VisualEditor2","Action": "ssm:StartSession",{
"Sid": "VisualEditor3","Resource": "arn:aws:ssm:*:*:document/*"
},{
"Sid": "VisualEditor4","Action": "ssm:TerminateSession","Resource": "arn:aws:ssm:*:*:session/${aws:username}-*"
},{
"Sid": "VisualEditor5","Action": "ssm:DescribedocumentParameters",{
"Sid": "VisualEditor6","Action": "ssm:ListDocumentVersions","Resource": "arn:aws:ssm:*:*:document/*"
}
]
}
政策 #2
{
"Version": "2012-10-17","Action": "ssm:*","Effect": "Deny","Condition": {
"StringNotLike": {
"ssm:resourceTag/env": "staging"
}
}
},"NotResource": "arn:aws:ssm:*:*:session/${aws:username}-*"
}
]
}
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。
