小编fam*_*aus的帖子

如何限制 AWS IAM 用户能够在特定 EC2 服务器上执行“SSM 运行命令”

我正在尝试设置和分配策略，以便用户只能在授权或分配给他们的 EC2 实例上触发 AWS Systems Manager Services (SSM) 运行命令。

为此，我按照https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sysman-configuring-access-iam-create.html中的说明进行操作，并根据其配置创建了以下自定义策略仅访问 1 个 EC2 实例：

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "ssm:ListDocuments",
                "ssm:DescribeDocument*",
                "ssm:GetDocument",
                "ssm:DescribeInstance*"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": "ssm:SendCommand",
            "Effect": "Allow",
            "Resource": [
                "arn:aws:ec2:us-east-1:123456789012:instance/i-1234567890abcdef0",
                "arn:aws:s3:::test-ssm-logs/TESTSERV",
                "arn:aws:ssm:us-east-1:123456789012:document/AWS-RunPowerShellScript"
            ],
            "Condition": {
                "StringEquals": {
                    "ec2:ResourceTag/Name": "TESTSERV"
                }
            }
        },
        {
            "Action": [
                "ssm:CancelCommand",
                "ssm:ListCommands",
                "ssm:ListCommandInvocations"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": "ec2:DescribeInstanceStatus",
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

Run Code Online (Sandbox Code Playgroud)

将上述策略分配给测试用户后，当我使用它登录并导航到“运行命令”时，在“目标实例”下，我还看到其他 EC2 实例，甚至还可以对它们执行命令。用户难道不应该只看到上述策略中指定的 1 …

amazon-ec2 amazon-web-services amazon-iam ssm

fam*_*aus

2017 03-21

7
推荐指数

1
解决办法

6304
查看次数