AWS IAM EC2策略仅限于原始实例 [英] AWS IAM EC2 policy limited to originating instance
问题描述
我正在进行设置,由于不活动(例如一段时间以来,Web服务器访问日志中没有新内容),因此我需要终止AWS实例.这些实例是测试实例,由CI/CD软件自动创建.
I'm working on a setup where I need to terminate AWS instances because of inactivity (i.e. nothing new in web-server access logs since a period of time). Those instances are testing instances and are created automatically by CI/CD software.
我希望这些实例表明自己已被抛弃并终止自己.我想为它们中的每一个分配一个通用的iam-role,它将只允许该实例本身终止,而不允许对等实例终止.
I would like those instances to identify themselves that they become abandoned and terminate themselves. I want to assign a generic iam-role to each of them that will only allow the instance the termination of itself and not the peer instances.
到目前为止,我到过这里: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ExamplePolicies_EC2.html https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html https://docs.aws.amazon. com/IAM/latest/UserGuide/reference_policies_variables.html#policy-vars-wheretouse https://www.reddit.com/r/aws/comments/4gglxk/iam_policy_to_allow_ec2_instance_to_only_query/ https://docs.aws.amazon.com/IAM/Latest/UserGuide/reference_policies_examples_iam_mfa-selfmanage.html
So far I've been here: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ExamplePolicies_EC2.html https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#policy-vars-wheretouse https://www.reddit.com/r/aws/comments/4gglxk/iam_policy_to_allow_ec2_instance_to_only_query/ https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_iam_mfa-selfmanage.html
并发现策略中有两个可用变量:
And figured out that there are 2 variables available in policies:
ec2-instance-id
ec2:SourceInstanceARN
我提出了一些角色政策的变体,但没有一个起作用:
I came up with few variations of my role policy but none of them work:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ec2:TerminateInstances",
"Resource": "*",
"Condition": {
"ArnEquals": {
"ec2:SourceInstanceARN": "arn:aws:ec2:*:*:instance/${ec2-instance-id}"
}
}
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ec2:TerminateInstances",
"Resource": "arn:aws:ec2:*:*:instance/${ec2-instance-id}"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ec2:TerminateInstances",
"Resource": "${ec2:SourceInstanceARN}"
}
]
}
实际上是否有可能实现所需的行为,即仅允许实例对其自身执行特定操作(例如终止)?
Is it actually possible to achieve the desired behavior, i.e. to only allow instance to perform specific operation on itself (e.g. Termination)?
更新:
我确实知道我可以使用标签,这就是我目前正在做的事情,但这意味着所有标记的实例都可以终止其对等对象.限制太宽松了,我想将其限制为实例
UPDATE:
I do know that I can work with tags, that is what I'm doing meanwhile, but that means that all tagged instances can terminate their peers. That is a bit too loose restriction, I'd like to really limit it to the instance it
AWS IAM:允许EC2实例自行停止
IAM政策允许EC2实例API访问仅用于修改自身
推荐答案
您与condition关系密切.技巧是将实例ARN与ec2:sourceInstanceARN:
You were close with your condition. The trick is to compare instance ARN with ec2:sourceInstanceARN:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:DeleteTags",
"ec2:DescribeTags",
"ec2:CreateTags",
"ec2:TerminateInstances",
"ec2:StopInstances"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ARN": "${ec2:SourceInstanceARN}"
}
}
}
]
}
很显然,出于测试目的,我允许具有此策略的实例标记并自行停止.
Clearly for testing purposes I allowed my instances with this policy to tag and stop themselves.
这篇关于AWS IAM EC2策略仅限于原始实例的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
