如何-限制AWS用户能够在特定的EC2服务器上执行"SSM运行命令“
如何-限制AWS用户能够在特定的EC2服务器上执行"SSM运行命令“
提问于 2017-03-20 14:06:31
我试图设置和分配一个策略,以便用户只能在授权或分配给他们的EC2实例上触发(SSM)运行命令。
为此,我按照https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sysman-configuring-access-iam-create.html的指示创建了以下自定义策略,只为一个EC2实例提供访问:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ssm:ListDocuments",
"ssm:DescribeDocument*",
"ssm:GetDocument",
"ssm:DescribeInstance*"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:SendCommand",
"Effect": "Allow",
"Resource": [
"arn:aws:ec2:us-east-1:123456789012:instance/i-1234567890abcdef0",
"arn:aws:s3:::test-ssm-logs/TESTSERV",
"arn:aws:ssm:us-east-1:123456789012:document/AWS-RunPowerShellScript"
],
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Name": "TESTSERV"
}
}
},
{
"Action": [
"ssm:CancelCommand",
"ssm:ListCommands",
"ssm:ListCommandInvocations"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:DescribeInstanceStatus",
"Effect": "Allow",
"Resource": "*"
}
]
}在我将上面的策略分配给测试用户之后,当我登录并使用它并导航到"Run“时,在目标实例下,我还会看到其他EC2实例,甚至还能够对它们执行命令。用户不应该只看到在上面的策略中指定的1实例吗?
我不明白我在这里做错了什么,以及如何解决它?感谢你的帮助。
谢谢!
下面的IAM策略分配给我的所有EC2系统实例:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:DescribeAssociation",
"ssm:GetDeployablePatchSnapshotForInstance",
"ssm:GetDocument",
"ssm:GetParameters",
"ssm:ListAssociations",
"ssm:ListInstanceAssociations",
"ssm:PutInventory",
"ssm:UpdateAssociationStatus",
"ssm:UpdateInstanceAssociationStatus",
"ssm:UpdateInstanceInformation"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2messages:AcknowledgeMessage",
"ec2messages:DeleteMessage",
"ec2messages:FailMessage",
"ec2messages:GetEndpoint",
"ec2messages:GetMessages",
"ec2messages:SendReply"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"cloudwatch:PutMetricData"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstanceStatus"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ds:CreateComputer",
"ds:DescribeDirectories"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:PutLogEvents"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts",
"s3:ListBucketMultipartUploads"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::amazon-ssm-packages-*"
}
]
}此外,下面为测试用户分配了下面的IAM策略,以便他们可以启动/停止/重新启动EC2实例:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:Describe*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:RebootInstances"
],
"Resource": "arn:aws:ec2:us-east-1:123456789012:instance/i-1234567890abcdef0",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Name": "TESTSERV"
}
}
}
]
}回答 1
Stack Overflow用户
回答已采纳
发布于 2017-03-20 23:10:11
我能够通过以下调整政策来完成这项工作:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ssm:ListDocuments",
"ssm:DescribeDocument*",
"ssm:GetDocument",
"ssm:DescribeInstance*"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:SendCommand",
"Effect": "Allow",
"Resource": [
"arn:aws:ec2:us-east-1:123456789012:instance/i-1234567890abcdef0",
"arn:aws:s3:::nsight-ssm-logs/TESTSERV",
"arn:aws:ssm:us-east-1::document/AWS-RunPowerShellScript"
]
},
{
"Action": [
"ssm:CancelCommand",
"ssm:ListCommands",
"ssm:ListCommandInvocations"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:DescribeInstanceStatus",
"Effect": "Allow",
"Resource": "*"
}
]
}我的要求是只允许执行PowerShell脚本,所以行:
"arn:aws:ssm:us-east-1::document/AWS-RunPowerShellScript“
您可以用*替换AWS-RunPowerShellScript以允许所有命令。
而且,EC2角色分配是必要的,因为没有它,我就看不到运行命令下的任何实例。
还请知道,用户将看到运行命令下的所有实例,但只能对为其分配策略的EC2实例执行命令,即用户帐户。我认为没有任何办法可以制止这种情况。
谢谢你的贡献和有用的建议。
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/42905737
复制相关文章
相似问题
腾讯云开发者
