使用AWS re:Post即您表示您同意 AWS re:Post 使用条款

如何限制 IAM 身份对特定 Amazon EC2 资源的访问?

2 分钟阅读
0

我想限制 AWS Identity and Access Management(IAM)身份对特定的 Amazon Elastic Compute Cloud(Amazon EC2)资源的访问。

简短描述

Amazon EC2 对资源级权限或条件提供部分支持。可以使用资源级权限来控制如何允许 IAM 身份访问特定 Amazon EC2 资源。

还可以使用 ABAC(基于标签的授权)来控制对 AWS 资源的访问权限。有关更多信息,请参阅 IAM 教程: 根据标签定义对 AWS 资源的访问权限

解决方法

使用以下 IAM 策略示例,根据用例限制对 Amazon EC2 实例的访问。然后,将策略附加到想要限制访问的 IAM 身份。

将访问权限限制为仅启动、停止或重启实例

以下示例策略将 IAM 身份的访问限制为只能启动、停止或重启 EC2 实例:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ec2:Describe*",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:StartInstances",
                "ec2:StopInstances",
                "ec2:RebootInstances"
            ],
            "Resource": [
                "arn:aws:ec2:*:AccountId:instance/*"
            ],
            "Condition": {
                "StringEquals": {
                    "ec2:ResourceTag/Owner": "Bob"
                }
            }
        }
    ]
}

注意: 将 Owner 替换为相应标签密钥,将 Bob 替换为相应标签值,将 AccountId 替换为相应 AWS 账户 ID。

要按 AWS 区域限制其他 Amazon EC2 资源,请确保这些操作支持资源级权限和条件。

按标签限制 EC2 实例的启动

以下示例策略使用 Owner 标签密钥将 IAM 身份的访问权限限制为仅启动 EC2 实例:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "ec2:RunInstances"
            ],
            "Resource": [
                "arn:aws:ec2:*:AccountId:instance/*"
            ],
            "Condition": {
                "StringNotLike": {
                    "aws:RequestTag/Owner": "*"
                }
            }
        },
        {
            "Sid": "AllowRunInstances",
            "Effect": "Allow",
            "Action": "ec2:RunInstances",
            "Resource": [
                "arn:aws:ec2:*::image/*",
                "arn:aws:ec2:*::snapshot/*",
                "arn:aws:ec2:*:*:subnet/*",
                "arn:aws:ec2:*:*:network-interface/*",
                "arn:aws:ec2:*:*:security-group/*",
                "arn:aws:ec2:*:*:key-pair/*",
                "arn:aws:ec2:*:*:instance/*",
                "arn:aws:ec2:*:*:volume/*"
            ]
        },
        {
            "Sid": "AllowToDescribeAll",
            "Effect": "Allow",
            "Action": [
                "ec2:Describe*"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowCreateTagsOnLaunching",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateTags"
            ],
            "Resource": [
                "arn:aws:ec2:*:AccountId:*/*"
            ],
            "Condition": {
                "StringEquals": {
                    "ec2:CreateAction": [
                        "RunInstances"
                    ]
                }
            }
        }
    ]
}

注意: 将 Owner 替换为相应标签密钥,将 AccountId 替换为相应账户 ID。

按实例类型限制 EC2 实例的启动

以下示例策略将 IAM 身份的访问限制为只能使用 t3.* 实例类型启动 EC2 实例:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "ec2:RunInstances"
            ],
            "Resource": [
                "arn:aws:ec2:*:AccountId:instance/*"
            ],
            "Condition": {
                "StringNotLike": {
                    "ec2:InstanceType": "t3.*"
                }
            }
        },
        {
            "Sid": "AllowRunInstances",
            "Effect": "Allow",
            "Action": "ec2:RunInstances",
            "Resource": [
                "arn:aws:ec2:*::image/*",
                "arn:aws:ec2:*::snapshot/*",
                "arn:aws:ec2:*:*:subnet/*",
                "arn:aws:ec2:*:*:network-interface/*",
                "arn:aws:ec2:*:*:security-group/*",
                "arn:aws:ec2:*:*:key-pair/*",
                "arn:aws:ec2:*:*:instance/*",
                "arn:aws:ec2:*:*:volume/*"
            ]
        },
        {
            "Sid": "AllowToDescribeAll",
            "Effect": "Allow",
            "Action": [
                "ec2:Describe*"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowCreateTagsOnLaunching",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateTags"
            ],
            "Resource": [
                "arn:aws:ec2:*:AccountId:*/*"
            ],
            "Condition": {
                "StringEquals": {
                    "ec2:CreateAction": [
                        "RunInstances"
                    ]
                }
            }
        }
    ]
}

**注意:**将实例类型 t3.* 替换为相应实例类型,例如 t3.nano。另外,将 AccountId 替换为相应账户 ID。

有关更多信息,请参阅 Amazon EC2 实例类型命名规范

相关信息

如何创建 IAM 策略以通过标签控制对 Amazon EC2 资源的访问?

如何使用 IAM 策略标签来限制 EC2 实例或 EBS 卷的创建和访问方式?

Amazon EC2 基于身份的政策