如何基于标签隐藏 EC2 中的实例 - 使用 IAM? [英] How to hide instances in EC2 based on tag - using IAM?

问题描述

我想在 IAM 中创建一个新用户，并允许他创建新的 EC2 实例，但只能查看/管理他创建的那些实例.

I want to create a new user in IAM, and allow him to be able to create new EC2 instances, but be able to view/administer only those instances that he creates.

这可以通过 IAM 实现吗?

Is this possible with IAM?

这是我尝试的组策略:

{
"Statement": 
[
{
  "Effect": "Allow",
  "Action": 
  [
    "ec2:DescribeImages",
    "ec2:DescribeKeyPairs", "ec2:DescribeSecurityGroups",
    "ec2:DescribeAvailabilityZones"
  ],
  "Resource": "*"
},

{
  "Effect": "Allow",
  "Action": 
  [
    "ec2:DescribeInstances","ec2:RunInstances", "ec2:TerminateInstances",
     "ec2:StartInstances", "ec2:StopInstances", "DescribeInstanceAttribute", "DescribeInstanceStatus"
  ],
  "Resource": "*",
  "Condition": 
  {
    "StringEquals": 
    {
      "ec2:ResourceTag/tag": "TheValueOfTheTag"
    }
  }

}
]
}

推荐答案

不幸的是，这还没有，至少不是您可能正在寻找的自动方式 - 您的用例有两个方面:

Unfortunately this isn't yet available, at least not in the automatic fashion you are probably looking for - your use case has two aspects:

的最新介绍EC2 和 RDS 资源的资源级权限最终允许将 Amazon EC2 API 操作限制为确实是特定的实例，从而从那个角度启用您的用例，例如:

The recent introduction of Resource-Level Permissions for EC2 and RDS Resources finally allows to constrain Amazon EC2 API actions to specific instances indeed, thus enabling your use case from that angle, e.g.:

• 允许用户在更大的多用户 EC2 环境中处理一组有限的资源.
• [...]
• 控制哪些用户可以终止哪些实例.

示例 IAM 政策 展示了如何允许用户对其名称的 Amazon DynamoDB 表进行所有操作匹配用户名，演示了策略变量 ${aws:username} 的使用(请参阅 IAM 政策变量概览 了解详情):

The Example IAM Policies feature one showing how to Allow a user all actions on an Amazon DynamoDB table whose name matches the user name, demonstrating the use of the policy variable ${aws:username} (see IAM Policy Variables Overview for details):

{
  "Version": "2012-10-17",
  "Statement": [{
      "Effect": "Allow",
      "Action": ["dynamodb:*"],
      "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/${aws:username}"
    }
  ]
}

警告

此资源级权限尚不适用于所有 API 操作:

Caveat

This resource-level permissions aren't available for all API actions yet:

这是一项复杂且影响深远的功能，我们将推出分阶段.在第一阶段，对指定的以下操作资源现在支持资源级权限:

This is a complex and far-reaching feature and we'll be rolling it out in stages. In the first stage, the following actions on the indicated resources now support resource-level permissions:

Instances - Reboot, Start, Stop, Terminate.
EBS Volumes - Attach, Delete, Detach.

上面未列出的 EC2 操作将不受资源级别的约束此时的权限.我们计划添加对其他 API 的支持整个 2013 年剩余时间.

EC2 actions not listed above will not be governed by resource-level permissions at this time. We plan to add support for additional APIs throughout the rest of 2013.

值得注意的是，它缺少您似乎也在寻找的 ec2:Describe* 操作.

Notably it lacks the ec2:Describe*actions you seem to be looking for as well.

然而，AWS 尚未公开发布任何类型的审计功能(由于 Amazon IAM 有效)，这意味着无法找出哪个特定 IAM 用户创建了特定资源.

However, AWS has yet to publicly release any kind of auditing feature (which must be available internally due to the way Amazon IAM works), which means that there is no option to find out which particular IAM user has created a specific resource.

不出所料，AWS 同时发布了 AWS CloudTrail，这是一项网络服务记录您账户的 AWS API 调用并向您发送日志文件:

As expected, AWS has meanwhile released AWS CloudTrail, which is a web service that records AWS API calls for your account and delivers log files to you:

记录的信息包括API调用者的身份、API调用的时间，API调用者的源IP地址，请求参数，以及 AWS 返回的响应元素服务.

The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service.

请参阅我对 亚马逊 s3/其他 AWS 服务上的操作的日志 的相关回答，了解一些详细信息和初始限制.

See my related answer to Logs for actions on amazon s3 / other AWS services for a few details and initial constraints.

我不知道有任何独立的解决方法 - 在合作环境中，您可以通过应用相应的监控和自动化来近似您想要的内容，如下所示:

I'm not aware of any self contained workaround - within a cooperative environment, you might be able to approximate what you want by applying respective monitoring and automation as follows:

1) 您需要强制用户只运行带有某种标记方案的 EC2 实例，例如owner=<用户名>

1) you need to mandate that users only ever run EC2 instances with some kind of tagging scheme, e.g. owner=<username>

2) 有了该方案，您可以应用基于 ${aws:username} 的策略，如上所述，分别为.基于标签的轻微变化 - AWS 安全博客有一篇综合文章 EC2 的资源级权限 - 控制特定实例上的管理访问 说明了这种方法 - 您的策略可能如下所示:

2) with that scheme in place, you could apply a ${aws:username} based policy as outlined above, resp. a slight variation based on tags - the AWS security blog has a comprehensive post Resource-level Permissions for EC2 – Controlling Management Access on Specific Instances illustrating this approach - your policy might look as follows:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "ec2:StartInstances",
        "ec2:StopInstances",      
        "ec2:RebootInstances",
        "ec2:TerminateInstances"
      ],
      "Condition": {
        "StringEquals": {
          "ec2:ResourceTag/owner":"${aws:username}"
        }
      },
      "Resource": [
        "arn:aws:ec2:your_region:your_account_ID:instance/*"
      ],
      "Effect": "Allow"
    }
  ]
}

3) 请注意，这意味着如果用户忘记使用正确的标签启动实例，他将无法管理他的实例，因此此外您可以使用类似 Netflix 的 Conformity Monkey 在启发式的基础上执行策略，即一旦实例在没有所需标签的情况下检测到，负责的人会收到通知，并可以尝试通过询问用户或关闭实例来强制执行此操作(当然也可以自动完成).

3) please note that this means a user won't be able to manage his instances if he forgets to start them with the correct tag, so in addition you could use something like the Netflix' Conformity Monkey to enforce the policy on a heuristic basis, i.e. once an instance is detected without the required tag, whoever is in charge gets a notification and can try to enforce this by inquiring the users or shutting down the instance (which could also be done automatically of course).

这篇关于如何基于标签隐藏 EC2 中的实例 - 使用 IAM?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！