我有一个AWS账户,并且有几个人被添加到一个名为“sales”的组中,并且该组具有分配的“AmazonEC2FullAccess”IAM角色。我的理解是,“销售”组能够查看所有EC2资源,创建新实例并终止任何旧资源。如何自定义AmazonEC2FullAccess
我想限制这个组只能查看和创建实例,而不能删除任何实例,我如何编辑/更改这个AmazonEC2FullAccess角色来禁用实例的终止过程?
我有一个AWS账户,并且有几个人被添加到一个名为“sales”的组中,并且该组具有分配的“AmazonEC2FullAccess”IAM角色。我的理解是,“销售”组能够查看所有EC2资源,创建新实例并终止任何旧资源。如何自定义AmazonEC2FullAccess
我想限制这个组只能查看和创建实例,而不能删除任何实例,我如何编辑/更改这个AmazonEC2FullAccess角色来禁用实例的终止过程?
直接回答你的问题,你不能变化 AmazonEC2FullAccess因为它是一个内置策略。不过,你可以明确地通过添加内嵌政策,这组这样的否认EC2实例终止:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1508489064000",
"Effect": "Deny",
"Action": [
"ec2:TerminateInstances"
],
"Resource": [
"arn:aws:ec2:us-east-1:ACCOUNT_ID:instance/*"
]
}
]
}
分配AmazonEC2FullAccess到销售人员是一个可怕的想法。
我建议你使用最低权限方法(只提供访问权限,只需要什么)。
将下面的Inline Custom policy
添加到Sales
组的Permissions
标签下。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:Describe*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "elasticloadbalancing:Describe*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"cloudwatch:ListMetrics",
"cloudwatch:GetMetricStatistics",
"cloudwatch:Describe*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "autoscaling:Describe*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateImage",
"ec2:CreateKeyPair",
"ec2:CreateNetworkInterface",
"ec2:CreatePlacementGroup",
"ec2:CreateSecurityGroup",
"ec2:CreateSnapshot",
"ec2:CreateVolume",
"ec2:ModifyHosts",
"ec2:AllocateAddress",
"ec2:AllocateHosts",
"ec2:AssignIpv6Addresses",
"ec2:AssignPrivateIpAddresses",
"ec2:AssociateAddress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:AttachVolume",
"ec2:CopyImage",
"ec2:CopySnapshot",
"ec2:RunInstances",
"ec2:StartInstances",
"ec2:RebootInstances",
"ec2:CreateTags",
"ec2:DeleteTags"
],
"Resource": "*"
}
]
}
这将使他们与EC2实例一样创建实例该实例进行基本操作,创建安全组,标签等,但是从执行删除操作限制他们。基本上,这项政策是AmazonEC2ReadOnlyAccess
政策的延伸。