在IAM,我可以限制用户组访问/启动/停止只有某些EC2的AMI或实例? [英] Within IAM, can I restrict a group of users to access/launch/terminate only certain EC2 AMIs or instances?
问题描述
什么标题说。
在主AWS账户,我有几个个人账户,即 AWS身份和访问管理(IAM)用户。我想分配一定的IAM用户组和$ P $从终止某些亚马逊EC2实例pvent他们,去注册某些的Amazon Machine Images(AMIS)等。
Within the master AWS account, I have several personal accounts, i.e. AWS Identity and Access Management (IAM) users. I would like to assign certain IAM users to groups and prevent them from terminating certain Amazon EC2 instances, de-registering certain Amazon Machine Images (AMIs), etc.
我不介意,如果他们正在玩自己的东西,但我不想让他们碰我的东西。
I don't mind if they're playing with their own stuff, but I don't want them to touch my stuff.
这可能吗?
推荐答案
AWS刚刚宣布<一href="http://aws.typepad.com/aws/2013/07/resource-permissions-for-ec2-and-rds-resources.html">Resource-Level权限亚马逊EC2和Amazon RDS 以解决在EC2和RDS IAM支持这一长期存在的缺点(相较于其他AWS服务,看我下面的详细资料原来的答复/背景):
Update
AWS has just announced Resource-Level Permissions for Amazon EC2 and Amazon RDS to address this long standing shortcoming of IAM support within EC2 and RDS (in comparison to other AWS services, see my original answer below for details/background):
今天,我们正在做的IAM更引进了具有资源级权限亚马逊EC2 和的Amazon RDS 。 [...]
Today we are making IAM even more powerful with the introduction of resource-level permissions for Amazon EC2 and Amazon RDS. [...]
在EC2上,您现在可以构建并使用IAM策略来控制 使用EC2实例,EBS卷,图像和弹性IP 地址。 [...]
On the EC2 side, you can now construct and use IAM policies to control access to EC2 instances, EBS volumes, images, and Elastic IP addresses. [...]
下面只是一些事情,你可以做的:
Here are just a few of things that you can do:
- 允许用户采取行动在更大的,多用户EC2环境中的有限资源集。 对于发展和测试的资源。
- 设置不同的权限
- 控制哪些用户可以终止该实例。
- 需要额外的安全措施,如外交部认证,作用于一定的资源时。
- Allow users to act on a limited set of resources within a larger, multi-user EC2 environment.
- Set different permissions for "development" and "test" resources.
- Control which users can terminate which instances.
- Require additional security measures, such as MFA authentication, when acting on certain resources.
这解决了大量的安全性并发症,使不少新的使用案例也是如此。
This solves a plethora of security complications and enables quite a few new use cases as well.
此外, EC2的政策声明中可以包含到标签上的EC2资源的,它允许的使用相同的标记模型和模式的权限和计费报告的。最后,还有一个的扩展设置条件标记[...],包括EC2的:地区,EC2:所有者和EC2:InstanceType 的,请参阅<一href="http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#amazon-ec2-keys">Condition按键亚马逊EC2 了解详细信息。
Furthermore, EC2 policy statements can include reference to tags on EC2 resources, which allows to use the same tagging model and schema for permissions and for billing reports. Finally, there's an expanded set of condition tags [...] including ec2:Region, ec2:Owner, and ec2:InstanceType, see Condition Keys for Amazon EC2 for details.
下面是<一变化href="http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#ex3">Example 3:允许用户停止和启动只有特定的情况下,在用例在眼前,它的允许用户启动和停止[和终止]只有那些标记部门=开发:
Here's a variation of Example 3: Allow users to stop and start only particular instances for the use case at hand, which allows users to start and stop [and terminate] only the instances that have the tag "department=dev":
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"ec2:StopInstances",
"ec2:StartInstances",
"ec2:TeminateInstances"
],
"Resource": "arn:aws:ec2:us-east-1:123456789012:instance/*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/department": "dev"
}
}
}
]
}
买者
支持资源级别的权限仅限于行动上所指示的资源仍然是下面的一组,其中不包括部分用例(如去注册的AMI 的) - 信心的基础这个的复杂而深远的功能的显然是足够高,虽然地宣布,他们的计划在整个2013年剩下的支持其他的API 的(AWS通常不会公布任何路线图):
Caveat
Support for resource-level permissions is restricted to the following set of actions on the indicated resources still, which excludes parts of the use case (e.g. de-registering AMIs) - the confidence in the foundation for this complex and far-reaching feature is apparently high enough though to announce that they plan to add support for additional APIs throughout the rest of 2013 (AWS doesn't usually publish any roadmaps):
- 实例 - 重新启动,启动,停止,终止 。
- 在EBS卷 - 安装,删除,分离
这恐怕是不可能的,你想做到这一点(和其他许多人对于这个问题,包括我自己在内)的方式。
Original Answer
I'm afraid this isn't possible the way you'd like to do it (and many others for that matter, including myself).
您想限制访问特定服务的的资源的,而不是它的动作的 - 而的 AWS身份和访问管理(IAM)支持在原则上,不是每一个AWS产品/服务的提供资源的基础上又限制;不幸的是亚马逊EC2 是其中的一个,甚至功能,例如,对于这个非常差,请参阅<一href="http://docs.amazonwebservices.com/IAM/latest/UserGuide/Using_SpecificProducts.html">Integrating与其他AWS产品的:
You want to restrict access to a particular service's resources rather than its actions - while AWS Identity and Access Management (IAM) supports both in principle, not every AWS product/service offers restrictions based on resources yet; unfortunately Amazon EC2 is one of these and even featured as an example for this very difference, see Integrating with Other AWS Products:
下表总结了是否可以授予IAM权限 该控制对服务的访问的动作,资源,或两者兼而有之。对于 例如,您可以使用IAM来控制哪些Amazon EC2的行动用户 有机会获得,但你不能使用IAM来控制用户的访问 的AMI,卷,实例等。 [重点煤矿] 的
The following table summarizes whether you can grant IAM permissions that control access to a service's actions, resources, or both. For example, you can use IAM to control which Amazon EC2 actions users have access to, but you can't use IAM to control users' access to AMIs, volumes, instances, etc. [emphasis mine]
根据不同的其他帐户的需求,你的可能的仍然能够至少限制其执行那些被认为是破坏性的行动能力 - 你可以通过的AWS策略生成器,例如:
(Partial) Workaround
Depending on the needs of the other accounts, you might still be able to at least limit their ability to perform those actions considered destructive - you can explore the available actions via the AWS Policy Generator, for example:
-
EC2:DeregisterImage- 明显的效果,当被拒绝用户/组 -
EC2:ModifyInstanceAttribute- 这将通过<帮助href="http://docs.amazonwebservices.com/AWSEC2/latest/UserGuide/Using_ChangingDisableAPITermination.html">Enabling终止保护的实例,当被拒绝用户/组:
ec2:DeregisterImage- obvious effect, when denied for a user/groupec2:ModifyInstanceAttribute- this would help via Enabling Termination Protection for an Instance, when denied for a user/group:
在默认情况下,你可以终止你启动任何实例。如果你想 prevent意外终止的情况下,你可以启用 终端保护的实例。
By default, you can terminate any instances you launch. If you want to prevent accidental termination of the instance, you can enable termination protection for the instance.
也就是说,一旦你启用终止保护,任何人未经允许使用 EC2:ModifyInstanceAttribute 不能在所有终止这些实例
That is, once you've enabled termination protection, anyone without permission to use ec2:ModifyInstanceAttribute cannot terminate these instances at all.
显然,分别受限帐户将无法再促进这些呼吁自己的资源。
Obviously the respectively restricted accounts won't be able to facilitate those calls for their own resources anymore.
此外,这不会从运行看中prevent他们的群集计算八超大型实例的左右,招致又将各自的成本;)
Furthermore this won't prevent them from running a fancy Cluster Compute Eight Extra Large Instance or so, incurring respective costs in turn ;)
根据您的设置/环境中,你可能要考虑的合并结算的替代,它主要提供了一种方法来收集一个或下一个又一个,这是支付所使用的资源多AWS账户别人。
Depending on your setup/environment you might want to look into Consolidated Billing instead, which essentially provides a way to gather one or many AWS accounts under another one, which is paying for the resources used by the others.
尽管这主要是一个会计功能,它可以用于分离关注的领域,以及 - 例如,这是相当常见的,以促进单独开发和生产帐户来实现分别独立操作,而不是至少关于IAM权利和等等。
While this is primarily an accounting feature, it can be used to separate areas of concern as well - for example, it's quite common to facilitate separate development and production accounts to achieve respectively independent operation, not the least regarding IAM rights and the like.
导言的博客文章新AWS功能:合并结算提供了一个很好的概述,这里是从<一个相关的话题href="http://docs.amazonwebservices.com/AWSConsolidatedBilling/1.0/AWSConsolidatedBillingGuide.html">AWS关于你的视使用情况合并结算指南:
The introductory blog post New AWS Feature: Consolidated Billing provides a good overview, and here is the relevant topic from the AWS Consolidated Billing Guide regarding your apparent use case:
的付费帐户被记帐的关联账户的所有费用。 然而,每个链接的帐户是在所有其他完全独立 方式(报名参加服务,访问资源,使用AWS premium 支持,等等)。的付费帐户所有者不能访问数据属于 以链接帐户所有者(例如,他们在Amazon S3中的文件)。 每 帐户所有者使用自己的AWS凭据来访问其资源 (例如,他们自己的AWS访问密钥)。 [重点煤矿] 的
The paying account is billed for all costs of the linked accounts. However, each linked account is completely independent in every other way (signing up for services, accessing resources, using AWS Premium Support, etc.). The paying account owner cannot access data belonging to the linked account owners (e.g., their files in Amazon S3). Each account owner uses their own AWS credentials to access their resources (e.g., their own AWS Secret Access Key). [emphasis mine]
显然,这个功能是针对大客户,但根据你的情况,你也许可以根据需要仍然拿出一个解决方案来分隔您的AWS账户和资源。
Obviously this functionality is targeted at larger customers, but depending on your scenario you might be able to come up with a solution to separate your AWS accounts and resources as needed still.
这篇关于在IAM,我可以限制用户组访问/启动/停止只有某些EC2的AMI或实例?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
