ec2的最小IAM策略:RunInstances

Question

我正在尝试缩小运行预定义机器映像的最小策略.该图像基于两个快照,我只想要启动"m1.medium"实例类型.

基于此,在本页面和本文的帮助下,我制定了以下政策:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1385026304010",
            "Effect": "Allow",
            "Action": [
                "ec2:RunInstances"
            ],
            "Condition": {
                "StringEquals": {
                    "ec2:InstanceType": "m1.medium"
                }
            },
            "Resource": [
                "arn:aws:ec2:us-east-1::instance/*",
                "arn:aws:ec2:us-east-1::image/ami-f1c3e498",
                "arn:aws:ec2:us-east-1::snapshot/snap-e2f51ffa",
                "arn:aws:ec2:us-east-1::snapshot/snap-18ca2000",
                "arn:aws:ec2:us-east-1::key-pair/shenton",
                "arn:aws:ec2:us-east-1::security-group/sg-6af56d02",
                "arn:aws:ec2:us-east-1::volume/*"
            ]
        }
    ]
}

该策略缩小了确切的映像,快照,安全组和密钥对,同时保持特定实例和卷打开.

我使用的CLI工具如下,如所描述这里:

aws ec2 run-instances --dry-run \
    --image-id ami-f1c3e498 \
    --key-name shenton \
    --security-group-ids sg-6af56d02 \
    --instance-type m1.medium

该~/.aws/config如下:

[default]
output = json
region = us-east-1
aws_access_key_id = ...
aws_secret_access_key = ...

该命令导致一般You are not authorized to perform this operation消息,编码的授权失败消息表明我的所有语句都没有匹配,因此它拒绝该操作.

改变以"Resource": "*"明显解决问题,但我希望更多地了解为什么上述方法不起作用.我完全意识到这涉及一定程度的猜测工作,所以我欢迎任何想法.

Answer 1

我和Amazon Bar Services的Jeff Barr联系过,他帮助我找出问题所在.

首先,您需要使用以下语句解码授权失败消息:

$ aws sts decode-authorization-message --encoded-message 6gO3mM3p....IkgLj8ekf

确保IAM用户/角色具有该sts:DecodeAuthorizationMessage操作的权限.

响应包含一个DecodedMessage包含另一个JSON编码主体的键:

{
    "allowed": false,
    "explicitDeny": false,
    "matchedStatements": {
        "items": []
    },
    "failures": {
        "items": []
    },
    "context": {
        "principal": {
            "id": "accesskey",
            "name": "testuser",
            "arn": "arn:aws:iam::account:user/testuser"
        },
        "action": "ec2:RunInstances",
        "resource": "arn:aws:ec2:us-east-1:account:instance/*",
        "conditions": { ... }
    }
}

在context => resource它下面将显示它试图与政策匹配的资源; 如你所见,它需要一个帐号.因此,arn文档应理解为:

除非另有说明,否则区域和帐户是必需的.

添加帐号或*在受影响的ARN中修复了问题:

"Resource": [
    "arn:aws:ec2:us-east-1:*:instance/*",
    "arn:aws:ec2:us-east-1:*:image/ami-f1c3e498",
    "arn:aws:ec2:us-east-1:*:snapshot/snap-e2f51ffa",
    "arn:aws:ec2:us-east-1:*:snapshot/snap-18ca2000",
    "arn:aws:ec2:us-east-1:*:key-pair/shenton",
    "arn:aws:ec2:us-east-1:*:security-group/sg-6af56d02",
    "arn:aws:ec2:us-east-1:*:volume/*"
]