1. 首頁
  2. 問答
  3. 如何自定義AmazonEC2FullAccess

如何自定義AmazonEC2FullAccess

2017-10-20 46 views
0

我有一個AWS賬戶,並且有幾個人被添加到一個名爲「sales」的組中,並且該組具有分配的「AmazonEC2FullAccess」IAM角色。我的理解是,「銷售」組能夠查看所有EC2資源,創建新實例並終止任何舊資源。如何自定義AmazonEC2FullAccess

我想限制這個組只能查看和創建實例,而不能刪除任何實例,我如何編輯/更改這個AmazonEC2FullAccess角色來禁用實例的終止過程?

來源

2017-10-20 Aun Raza

回答

0

直接回答你的問題,你不能變化 AmazonEC2FullAccess因爲它是一個內置策略。不過,你可以明確地通過添加內嵌政策,這組這樣的否認EC2實例終止:

{ 
    "Version": "2012-10-17", 
    "Statement": [ 
     { 
      "Sid": "Stmt1508489064000", 
      "Effect": "Deny", 
      "Action": [ 
       "ec2:TerminateInstances" 
      ], 
      "Resource": [ 
       "arn:aws:ec2:us-east-1:ACCOUNT_ID:instance/*" 
      ] 
     } 
    ] 
}

分配AmazonEC2FullAccess到銷售人員是一個可怕的想法。

來源

2017-10-20 08:48:58

0

我建議你使用最低權限方法(只提供訪問權限,只需要什麼)。

將下面的Inline Custom policy添加到Sales組的Permissions標籤下。

{ 
    "Version": "2012-10-17", 
    "Statement": [ 
     { 
      "Effect": "Allow", 
      "Action": "ec2:Describe*", 
      "Resource": "*" 
     }, 
     { 
      "Effect": "Allow", 
      "Action": "elasticloadbalancing:Describe*", 
      "Resource": "*" 
     }, 
     { 
      "Effect": "Allow", 
      "Action": [ 
       "cloudwatch:ListMetrics", 
       "cloudwatch:GetMetricStatistics", 
       "cloudwatch:Describe*" 
      ], 
      "Resource": "*" 
     }, 
     { 
      "Effect": "Allow", 
      "Action": "autoscaling:Describe*", 
      "Resource": "*" 
     }, 
     { 
      "Effect": "Allow", 
      "Action": [ 
       "ec2:CreateImage", 
       "ec2:CreateKeyPair", 
       "ec2:CreateNetworkInterface", 
       "ec2:CreatePlacementGroup", 
       "ec2:CreateSecurityGroup", 
       "ec2:CreateSnapshot", 
       "ec2:CreateVolume", 
       "ec2:ModifyHosts", 
       "ec2:AllocateAddress", 
       "ec2:AllocateHosts", 
       "ec2:AssignIpv6Addresses", 
       "ec2:AssignPrivateIpAddresses", 
       "ec2:AssociateAddress", 
       "ec2:AuthorizeSecurityGroupEgress", 
       "ec2:AuthorizeSecurityGroupIngress", 
       "ec2:AttachVolume", 
       "ec2:CopyImage", 
       "ec2:CopySnapshot", 
       "ec2:RunInstances", 
       "ec2:StartInstances", 
       "ec2:RebootInstances", 
       "ec2:CreateTags", 
       "ec2:DeleteTags" 
      ], 
      "Resource": "*" 
     }  
    ] 
}

這將使他們與EC2實例一樣創建實例該實例進行基本操作,創建安全組,標籤等,但是從執行刪除操作限制他們。基本上,這項政策是AmazonEC2ReadOnlyAccess政策的延伸。

來源

2017-10-20 09:02:54

相關問題

 相關問題