將AWS Elastic Beanstalk IAM角色限制爲對一個應用程序的完全訪問權限

Question

我試圖授予IAM密碼用戶完全訪問Elastic Beanstalk應用程序（創建/修改/刪除環境）的權限。遵循AWS doc here的結果導致用戶能夠查看應用程序，但無法查看環境或創建新環境（消息：拒絕訪問，無需進一步說明）。

這裏是連接目前的政策：

{ 
"Version": "XXX-XX-XX", 
"Statement": [ 
    { 
     "Sid": "StmtXXXXXXXXX", 
     "Effect": "Allow", 
     "Action": [ 
      "elasticbeanstalk:*", 
      "autoscaling:*" 
     ], 
     "Resource": [ 
      "arn:aws:elasticbeanstalk:eu-west-1:<accountId>:application/<app-name>", 
      "arn:aws:elasticbeanstalk:eu-west-1:<accountId>:applicationversion/<app-name>", 
      "arn:aws:elasticbeanstalk:eu-west-1:<accountId>:environment/<app-name>/*", 
      "arn:aws:elasticbeanstalk:us-west-1::solutionstack/*" 
     ] 
    }, 
    { 
     "Action": [ 
      "elasticbeanstalk:CheckDNSAvailability", 
      "elasticbeanstalk:CreateStorageLocation", 
      "autoscaling:DescribeAutoScalingGroups" 
     ], 
     "Effect": "Allow", 
     "Resource": "*" 
    } 
] 

}

有沒有人這樣做了嗎？

Answer 1

這就是我使用的。我不能被要求進一步分離它。你也可以使用標籤。

我所做的更多的是在不同的賬戶中運行越來越多的事情。如果有獨立的應用程序，則很少或根本沒有理由將它們放在同一個帳戶中。您可以爲用戶提供跨賬戶訪問權限。 https://aws.amazon.com/blogs/security/how-to-enable-cross-account-access-to-the-aws-management-console/

{ 
    "Version": "2012-10-17", 
    "Statement": [ 
     { 
      "Effect": "Allow", 
      "Action": [ 
       "ec2:Describe*", 
       "elasticloadbalancing:Describe*", 
       "autoscaling:Describe*", 
       "cloudwatch:Describe*", 
       "cloudwatch:List*", 
       "cloudwatch:Get*", 
       "s3:Get*", 
       "s3:List*", 
       "sns:Get*", 
       "sns:List*", 
       "cloudformation:Describe*", 
       "cloudformation:Get*", 
       "cloudformation:List*", 
       "cloudformation:Validate*", 
       "cloudformation:Estimate*", 
       "rds:Describe*", 
       "elasticbeanstalk:CreateStorageLocation", 
       "sqs:Get*", 
       "sqs:List*", 
       "autoscaling:SuspendProcesses", 
       "autoscaling:ResumeProcesses", 
       "autoscaling:UpdateAutoScalingGroup", 
       "autoscaling:DescribeAutoScalingGroups", 
       "cloudformation:UpdateStack", 
       "cloudformation:DescribeStacks", 
       "ec2:AuthorizeSecurityGroupIngress", 
       "ec2:RevokeSecurityGroupIngress", 
       "s3:PutObject", 
       "s3:DeleteObject", 
       "s3:PutObjectAcl" 
      ], 
      "Resource": [ 
       "*" 
      ] 
     }, 
     { 
      "Effect": "Allow", 
      "Action": [ 
       "elasticloadbalancing:RegisterInstancesWithLoadBalancer", 
       "elasticloadbalancing:DeregisterInstancesFromLoadBalancer" 
      ], 
      "Resource": [ 
       "arn:aws:elasticloadbalancing:eu-west-1:12345678910:loadbalancer/*" 
      ] 
     }, 
     { 
      "Effect": "Allow", 
      "Action": [ 
       "elasticbeanstalk:Check*", 
       "elasticbeanstalk:Describe*", 
       "elasticbeanstalk:List*", 
       "elasticbeanstalk:RequestEnvironmentInfo", 
       "elasticbeanstalk:RetrieveEnvironmentInfo", 
       "elasticbeanstalk:CreateApplicationVersion", 
       "elasticbeanstalk:CreateConfigurationTemplate", 
       "elasticbeanstalk:UpdateApplicationVersion", 
       "elasticbeanstalk:UpdateConfigurationTemplate", 
       "elasticbeanstalk:UpdateEnvironment", 
       "elasticbeanstalk:DescribeEnvironmentResources", 
       "elasticbeanstalk:ValidateConfigurationSettings" 
      ], 
      "Resource": [ 
       "*" 
      ], 
      "Condition": { 
       "StringEquals": { 
        "elasticbeanstalk:InApplication": [ 
         "arn:aws:elasticbeanstalk:eu-west-1:12345678910:application/My App" 
        ] 
       } 
      } 
     } 
    ] 
}