1. 首页
  2. 问答
  3. AWS IAM访问管理

AWS IAM访问管理

2013-12-12 36 views
5

我知道您可以设置IAM策略来限制对服务的访问。但是,是否可以制定允许访问部分服务的策略?AWS IAM访问管理

E.g.我是两个EC2实例。我需要创建两个用户,以便他们可以访问AWS控制台,但每个用户只能访问一个EC2实例。

来源

2013-12-12 sanket

回答

5

是的,你可以用Resource-Level Permissions for EC2

做这个资源的结构陈述in the documentation如下:

arn:aws:[service]:[region]:[account]:resourceType/resourcePath

这里是你将如何组织的IAM政策为每个用户:

用户1

{ 
    "Version": "2012-10-17", 
    "Statement": [{ 
     "Effect": "Allow", 
     "Action": "ec2:*", 
     "Resource": "arn:aws:ec2:us-east-1:123456789012:instance/InstanceIdOne" 
    } 
    ] 
}

用户2

{ 
    "Version": "2012-10-17", 
    "Statement": [{ 
     "Effect": "Allow", 
     "Action": "ec2:*", 
     "Resource": "arn:aws:ec2:us-east-1:123456789012:instance/InstanceIdTwo" 
    } 
    ] 
}

来源

2013-12-12 16:24:08 EFeit

1

政策没有获得EC2:DescribeInstance将无法正常工作。您需要允许DescribeInstances访问所有资源,并根据需要管理其他访问,如修改,删除特定实例。

简而言之,允许所有用户执行诸如描述标签,实例,NetworkACL,图像等所有基本操作,并允许特定的破坏性操作(如修改和删除)选择用户。

在这里您参考 http://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_Operations.html

EC2动作列表所以,你有2个选项 -

  1. 创建一个策略如下图所示,并附上相同的策略,以两个用户

    { 
    "Version": "2012-10-17", 
    "Statement": [{ 
    "Effect": "Allow", 
    "Action": "ec2:*Describe*", 
    "Resource":"*", 
    }, 
    { 
    "Effect": "Allow", 
    "Action": [ 
     "ec2:*Modify*", 
     "ec2:*Delete*" 
    ], 
    "Principal": { "AWS": "arn:aws:iam::AWS-account-ID:user/**user-name-1**" }, 
    "Resource": "arn:aws:ec2:us-east-1:AWS-account-ID:instance/**InstanceIdOne**" 
}, 
{ 
    "Effect": "Allow", 
    "Action": [ 
     "ec2:*Modify*", 
     "ec2:*Delete*" 
], 
    "Principal": { "AWS": "arn:aws:iam::AWS-account-ID:user/**user-name-2**" }, 
    "Resource": "arn:aws:ec2:us-east-1:AWS-account-ID:instance/**InstanceIdTwo**" 
} 
]}

  2. 创建2个不同的策略。以下为一个例子

    { 
    "Version": "2012-10-17", 
    "Statement": [{ 
    "Effect": "Allow", 
    "Action": "ec2:*Describe*", 
    "Resource":"*", 
    }, 
    { 
    "Effect": "Allow", 
    "Action": [ 
     "ec2:*Modify*", 
     "ec2:*Delete*" 
    ], 
    "Principal": { "AWS": "arn:aws:iam::AWS-account-ID:user/**user-name-1**" }, 
    "Resource": "arn:aws:ec2:us-east-1:AWS-account-ID:instance/**InstanceIdOne**" 
} 
]}

来源

2017-05-12 22:29:51 rocky

相关问题

 相关问题