1. 技术文章
  2. AWS IAM Access Management

AWS IAM Access Management

岁酱吖の 提交于 2019-12-01 03:07:24

问题


I know that you can set up an IAM policy to restrict access to services. However, is it possible to set up a policy to allow access to a part of a service.

E.g. I am two EC2 instances. I need to create two users such that they have an access to the AWS console, but only to one EC2 instance each.


回答1:


Yes you can do this with Resource-Level Permissions for EC2

The structure of the resource is stated in the documentation as follows:

arn:aws:[service]:[region]:[account]:resourceType/resourcePath

Here is how you would structure the IAM policies for each user:

User 1

{
   "Version": "2012-10-17",
   "Statement": [{
      "Effect": "Allow",
      "Action": "ec2:*",
      "Resource": "arn:aws:ec2:us-east-1:123456789012:instance/InstanceIdOne"
    }
   ]
}

User 2

{
   "Version": "2012-10-17",
   "Statement": [{
      "Effect": "Allow",
      "Action": "ec2:*",
      "Resource": "arn:aws:ec2:us-east-1:123456789012:instance/InstanceIdTwo"
    }
   ]
}



回答2:


Policy without access to EC2:DescribeInstance will not work. You need to allow DescribeInstances access on all resources and manage additional access like modify, delete to specific instances depending on what the need is.

In short, allow all basic operations like Describe Tags, Instances, NetworkACLs, Images etc to all users and allow specific destructive actions like Modify and Delete to select user.

List of EC2 actions for your reference here http://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_Operations.html

So you have 2 options-

  1. Create one policy like below and attach the same policy to both users

    {
  "Version": "2012-10-17",
  "Statement": [{
  "Effect": "Allow",
  "Action": "ec2:*Describe*",
  "Resource":"*",
  },
  {
    "Effect": "Allow",
    "Action": [
         "ec2:*Modify*",
         "ec2:*Delete*"
    ],
    "Principal": { "AWS": "arn:aws:iam::AWS-account-ID:user/**user-name-1**" },
    "Resource": "arn:aws:ec2:us-east-1:AWS-account-ID:instance/**InstanceIdOne**"
 },
 {
    "Effect": "Allow",
    "Action": [
       "ec2:*Modify*",
       "ec2:*Delete*"
 ],
    "Principal": { "AWS": "arn:aws:iam::AWS-account-ID:user/**user-name-2**" },
    "Resource": "arn:aws:ec2:us-east-1:AWS-account-ID:instance/**InstanceIdTwo**"
 }
]}

  2. Create 2 different policies. Example for one below

    {
  "Version": "2012-10-17",
  "Statement": [{
  "Effect": "Allow",
  "Action": "ec2:*Describe*",
  "Resource":"*",
  },
  {
     "Effect": "Allow",
     "Action": [
         "ec2:*Modify*",
         "ec2:*Delete*"
     ],
     "Principal": { "AWS": "arn:aws:iam::AWS-account-ID:user/**user-name-1**" },
     "Resource": "arn:aws:ec2:us-east-1:AWS-account-ID:instance/**InstanceIdOne**"
 }
]}


来源:https://stackoverflow.com/questions/20548062/aws-iam-access-management

标签
amazon-web-services
amazon-iam
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!