Ant*_*kiy 3 amazon-ec2 amazon-web-services amazon-iam
我正在做一个设置,我需要终止 AWS 实例,因为不活动(即一段时间以来 Web 服务器访问日志中没有任何新内容)。这些实例是测试实例,由 CI/CD 软件自动创建。
我希望这些实例能够表明自己被抛弃并终止了自己。我想为它们中的每一个分配一个通用的 iam-role,它只允许实例终止自身而不是对等实例。
到目前为止,我一直在这里:https : //docs.aws.amazon.com/AWSEC2/latest/UserGuide/ExamplePolicies_EC2.html https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#policy-vars-wheretouse https://www.reddit.com/r/aws/comments/4gglxk/iam_policy_to_allow_ec2_instance_to_only_query/ https:// /docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_iam_mfa-selfmanage.html
并发现策略中有 2 个可用变量:
ec2-instance-id
ec2:SourceInstanceARN
我想出了我的角色政策的一些变体,但它们都不起作用:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ec2:TerminateInstances",
"Resource": "*",
"Condition": {
"ArnEquals": {
"ec2:SourceInstanceARN": "arn:aws:ec2:*:*:instance/${ec2-instance-id}"
}
}
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ec2:TerminateInstances",
"Resource": "arn:aws:ec2:*:*:instance/${ec2-instance-id}"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ec2:TerminateInstances",
"Resource": "${ec2:SourceInstanceARN}"
}
]
}
实际上是否有可能实现所需的行为,即仅允许实例对自身执行特定操作(例如终止)?
更新:
我确实知道我可以使用标签,这就是我同时正在做的事情,但这意味着所有带标签的实例都可以终止它们的对等实例。这有点过于宽松的限制,我想真正将其限制在它的实例中
你和你的condition. 诀窍是将实例 ARN 与ec2:sourceInstanceARN:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:DeleteTags",
"ec2:DescribeTags",
"ec2:CreateTags",
"ec2:TerminateInstances",
"ec2:StopInstances"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ARN": "${ec2:SourceInstanceARN}"
}
}
}
]
}
显然,出于测试目的,我允许使用此策略的实例自行标记和停止。
| 归档时间: |
|
| 查看次数: |
1310 次 |
| 最近记录: |