我想創建一個策略,允許IAM用戶或角色創建一組資源(例如EC2實例),然後管理(刪除,更新等)這些資源。我希望我可以使用IAM變量,通配符和/或條件完成此操作,但我不確定如何。AWS Policy Limited管理員
我的策略會是這個樣子非常
{
"Effect": "Allow",
"Action": [
"ec2:*"
],
"Condition": [
{ "Created_By_The_Instance_Profile_In_The_CFN_Stack_That_Created_The_EC2Instance}" }
]
}
而且,如果我想授予EC2實例配置文件以完成SSM什麼:CreateAssociation因爲這是在同一個堆棧創建爲EC2的SSM文件實例本身?換句話說,我有一個EC2實例和IAM實例配置文件,一個IAM角色和一個SSM文檔的堆棧,我希望EC2實例在啓動時通過UserData啓動CreateAssociation。啓動堆棧的用戶應該有權創建這些資源,但不能創建新策略(有效地使其成爲管理員)。我想提前創建角色+策略,並授予堆棧創建者將此角色附加到它創建的IAM實例配置文件角色的能力。
所以,提前的時間,我(管理員),創建策略和角色本身
"DeployerRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"ec2.amazonaws.com",
"lambda.amazonaws.com"
],
"AWS": "*"
},
"Action": [
"sts:AssumeRole"
]
}
]
}
}
},
"PolicyManagerPolicy": {
"Type": "AWS::IAM::ManagedPolicy",
"Properties": {
"Description": "Allows CFN deployer to attach and detach required policies.",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:AttachRolePolicy",
"iam:DetachRolePolicy"
],
"Resource": "*",
"Condition": {
"ArnEquals": {
"iam:PolicyArn": [
"The_Policy_Arn_I_Want_To_Create"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"iam:CreateRole"
],
"Resource": "*"
}
]
},
"Roles": [ { "Ref": "DeployerRole" } ]
}
}
的「受限管理員」部署(在DeployerRole的IAM用戶)應該能夠推出堆棧包含:
- EC2實例
- IAM實例簡介
- IAM角色
- SSM文件
我需要The_Policy_Arn_I_Want_To_Create到:
- 只允許由堆棧創建的EC2實例能夠CreateAssociation僅使用堆棧中創建的文檔SSM。使用標籤很好,但由於SSM文檔的資源無法使用標籤,我該怎麼做?
請參閱更新的問題請 – Jeff