问题描述
正如标题所暗示的那样,我正在努力开发一个 IAM 策略,该策略将完全基于附加到 EC2 的标签实现以下目标:
- 使用标签
env:staging按需修补 EC2, - 在带有
env:staging标签的 EC2 上运行远程命令(文档), - 在上述机器上启动 SSM 会话,
- 停止他们自己的会话,
- 从 Parameter Store 放置和获取参数 至少。
我正在尝试 2 项政策。使用策略 #1,我能够成功启动和停止会话,但无法修补 - 缺少更多的修补权限。使用策略 #2,我可以启动和停止会话,还可以运行命令并修补“所有”实例,包括带有其他标签或没有标签的实例。有人可以帮我改进上面 #1 的要求吗?
政策 #1
{
"Version": "2012-10-17","Statement": [
{
"Sid": "VisualEditor0","Effect": "Allow","Action": [
"ssm:GetConnectionStatus","ssm:ListCommands","ssm:DescribeSessions","ssm:ListAssociationVersions","ssm:GetInventory","ssm:DescribeInstanceinformation","ssm:DescribeParameters","ssm:DescribeMaintenanceWindows","kms:GenerateDataKey","ssm:GetInventorySchema","ssm:DescribeAssociationExecutions","ssm:ListDocuments","ssm:ListCommandInvocations","ssm:DescribeAvailablePatches","ssm:DescribeInstanceProperties"
],"Resource": "*"
},{
"Sid": "VisualEditor1","Action": "ssm:SendCommand","Resource": "arn:aws:ec2:*:*:instance/*","Condition": {
"StringLike": {
"ssm:resourceTag/env": "staging"
}
}
},{
"Sid": "VisualEditor2","Action": "ssm:StartSession",{
"Sid": "VisualEditor3","Resource": "arn:aws:ssm:*:*:document/*"
},{
"Sid": "VisualEditor4","Action": "ssm:TerminateSession","Resource": "arn:aws:ssm:*:*:session/${aws:username}-*"
},{
"Sid": "VisualEditor5","Action": "ssm:DescribedocumentParameters",{
"Sid": "VisualEditor6","Action": "ssm:ListDocumentVersions","Resource": "arn:aws:ssm:*:*:document/*"
}
]
}
政策 #2
{
"Version": "2012-10-17","Action": "ssm:*","Effect": "Deny","Condition": {
"StringNotLike": {
"ssm:resourceTag/env": "staging"
}
}
},"NotResource": "arn:aws:ssm:*:*:session/${aws:username}-*"
}
]
}
解决方法
暂无找到可以解决该程序问题的有效方法,小编努力寻找整理中!
如果你已经找到好的解决方法,欢迎将解决方案带上本链接一起发送给小编。
小编邮箱:dio#foxmail.com (将#修改为@)