IAM策略，仅允许EC2实例API访问来修改自身 [英] IAM policy to allow EC2 instance API access only to modify itself

问题描述

我正在尝试建立一个在启动时配置实例的应用程序，我想尽可能地关闭该应用程序的API访问权限.我目前的政策如下:

I'm trying to set up an app that configures my instances upon launch and I want to close down that app's API access as much as possible. My current policy is as follows:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1388183890000",
      "Effect": "Allow",
      "Action": [
        "ec2:AssociateAddress",
        "ec2:CreateTags",
        "ec2:DescribeInstances",
        "ec2:RebootInstances"
      ],
      "Resource":"*"
    }
  ]
}

但是，这允许应用程序对EC2中的任何内容执行上述任何操作.有什么方法可以将应用程序在ec2实例上的操作锁定到该特定实例，或者锁定在具有相同IAM角色的所有框上?

However, this allows the app to perform any of these actions on anything in EC2. Is there a way I can lock down the actions of the app on an ec2 instance to either that specific instance, or to all of the boxes that have the same IAM role?

推荐答案

是的，可以.您首先需要为相关的EC2实例分配一些相关且通用的标签.然后使用ec2:ResourceTag/tag-key将IAM策略访问限制为仅对那些实例.

Yes, you can. You need to first assign some relevant and common tags to the EC2 instances in question. And then restrict the IAM policy access only to those instances using ec2:ResourceTag/tag-key.

检查此示例:

这是上面示例中的相关代码:

Here is the relevant code from above example:

    {
      "Effect": "Allow",
      "Action": "ec2:TerminateInstances",
      "Resource": "arn:aws:ec2:us-east-1:123456789012:instance/*",
      "Condition": {
         "StringEquals": {
            "ec2:ResourceTag/purpose": "test"
         }
      }
   }

这样，您可以将访问权限限制为仅具有必需标记的实例.

This way, you can restrict the access to only those instances which have necessary tags.

在此处.希望这会有所帮助.

Read more about Tagging here. Hope this helps.

这篇关于IAM策略，仅允许EC2实例API访问来修改自身的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！