AWS IAM SSM-限制实例可以运行的文档 [英] AWS IAM SSM - Restrict Documents that Instances can run

问题描述

是否有一种方法可以限制EC2实例的IAM策略。它只能运行简短的文档列表-我试图像这样限制对ssm：GetDocument的访问：

Is there a way to restrict the IAM policy for an EC2 instance s.t. it can only run a short list of Documents - I tried restricting access to ssm:GetDocument like this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
        "Effect": "Allow",
        "Action": [
            "ssm:GetDocument"
        ],
        "Resource": [
            "arn:aws:ssm:ap-southeast-2:*:document/MyCommand"
        ]
    }
 ]}

但是我仍然可以在实例上运行任何命令，包括AWS-RunPowershellScript文档。

But I can run any command on the instance still including the AWS-RunPowershellScript document.

此链接显示了如何限制用户的ssm：sendCommand：
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/delegate-commands.html

This link shows how users can be restricted with respect to ssm:sendCommand: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/delegate-commands.html

推荐答案

我还没有找到一种基于文档来限制SendCommand的方法。如果用户没有访问权限，则会收到如下错误：

I have not found a way to restrict SendCommand based on document. If a user does not have access, you get an error like this:

用户：arn：aws：iam :: 123456789012：user /用户名无权执行：资源上的ssm：SendCommand：arn：aws：ec2：us-east-1：123456789012：instance / i-01234567890abcdef

User: arn:aws:iam::123456789012:user/username is not authorized to perform: ssm:SendCommand on resource: arn:aws:ec2:us-east-1:123456789012:instance/i-01234567890abcdef

这表示可以根据实例ID限制SendCommand中的资源。如果其中一个条件是文档ARN，那就太好了，但是到目前为止，我还没有找到任何方法（在策略生成器向导中不是条件）。

This indicates that the Resource in SendCommand can be limited based on instance ids. It would be nice if one of the Conditions was a Document ARN, but so far I haven't found any way to do it (it's not a condition in the policy generator wizard).

更新：我在AWS论坛上发布了这个问题，希望我会得到答复： https://forums.aws.amazon.com/thread.jspa?threadID=249039

Update: I posted this question on the AWS forums, hopefully I'll get a response: https://forums.aws.amazon.com/thread.jspa?threadID=249039

更新2：我得到了回应，解决方案是要实现此目的，您必须使用Resource来指定允许在哪些实例上运行命令以及允许用户运行哪些文档。例如，这就是我最终得到的结果：

Update 2: I got a response and the solution is that to accomplish this you must use Resource to specify both what instances you allow commands to be run on, and what document the user is allowed to run. For example, this is what I ended up with:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ssm:SendCommand"
            ],
            "Resource": [
                "arn:aws:ec2:*:123456789012:instance/*",
                "arn:aws:ssm:*:123456789012:document/RestartServices"
            ]
        }
    ]
}

这篇关于AWS IAM SSM-限制实例可以运行的文档的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！