使⽤标签限制⽤⼾只能操作⾃⼰的AWS资源
背景
在⼀个AWS 账号下会有多个⽤⼾,不同的⽤⼾(团队)会管理不同的资源,通常我们希望每 个⽤⼾(团队)只能操作⾃⼰的资源,同时需要防⽌⾃⼰的资源被其他⼈意外终⽌,因此 需要对资源的权限需要细化管理,本篇介绍使⽤“标签”功能来对资源的操作权限细粒度 设置
思路
创建策略给⽤⼾赋予创建资源权限
创建策略约束⽤⼾在创建资源时必须打上⾃⼰的标签
创建策略关联⽤⼾标签,限制⽤⼾⾃⼰可以特定的操作(关机、重启、终⽌、快照等)
⽰例
本⽰例以EC2 资源 做演⽰
1:给⽤⼾赋予创建EC2权限
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ReadOnlyEC2WithNonResource",
"Action": [
"ec2:Describe*",
"iam:ListInstanceProfiles"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "ModifyingEC2WithNonResource",
"Action": [
"ec2:CreateKeyPair",
"ec2:CreateSecurityGroup"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "RunInstancesWithTagRestrictions",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": "*"
},
{
"Sid": "RemainingRunInstancePermissionsNonResource",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:::image/*",
"arn:aws:ec2:::snapshot/*",
"arn:aws:ec2::*:network-interface/*",
"arn:aws:ec2::*:key-pair/*",
"arn:aws:ec2::*:security-group/*"
]
},
{
"Sid": "EC2RunInstancesVpcSubnet",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:::subnet/*"
},
{
"Sid": "EC2VpcNonResourceSpecificActions",
"Effect": "Allow",
"Action": [
"ec2:DeleteNetworkAcl",
"ec2:DeleteNetworkAclEntry",
"ec2:DeleteRoute",
"ec2:DeleteRouteTable",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:DeleteSecurityGroup",
"ec2:CreateNetworkInterfacePermission",
"ec2:CreateRoute",
"ec2:UpdateSecurityGroupRuleDescriptionsEgress",
"ec2:UpdateSecurityGroupRuleDescriptionsIngress"
],
"Resource": "*"
},
{
"Sid": "createTags",
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:CreateAction": [
"RunInstances",
"CreateVolume"
]
}
}
}
]
}2:约束用户在创建资源时必须打上自己的标签
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RunInstancesWithTagRestrictions1",
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:ap-east-1:AccountId:instance/*"
],
"Condition": {
"StringNotEquals": {
"aws:RequestTag/creator": "${aws.username}"
}
}
}
]
}3:通过标签,限制用户特定的操作
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowInstanceActionsTagBased",
"Effect": "Allow",
"Action": [
"ec2:RebootInstances",
"ec2:StopInstances",
"ec2:TerminateInstances",
"ec2:StartInstances",
"ec2:AttachVolume",
"ec2:DetachVolume",
"ec2:AssociateIamInstanceProfile",
"ec2:DisassociateIamInstanceProfile",
"ec2:GetConsoleScreenshot",
"ec2:ReplaceIamInstanceProfileAssociation"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/creator": "${aws:username}"
}
}
}
]
}将以上3个策略关联给用户后,用户可以创建EC2,管理自己的EC2
要点总结
约束用户在创建资源的时候必须打标签(通过
aws:RequestTag来要求),标签的值是特定的,示例中以aws.username这个变量来设置,要求用户必须填写自己的用户名,不能填别人的。当然,在这里我们也可以要求用户填自己的组名,以按组的方式管理,如果需要按组管理,可以给每个组建一样的策略,只是tag 的value值不一样通过标签名创建策略限制对EC2 的特定操作(通过
ec2:resourceTag来要求),再将策略附加给用户,这样用户只能操作打了自己标签的资源需要限制用户只有在创建资源的时候才能打标签(参考:createTags),以防止用户对别人的资源补标签,再通过标签操作别人的资源
以上示例中分为了三个策略,而不是合成了一个,这样可以灵活的控制,比如可以将创建资源策略给用户,但并不约束用户是否必须打标签,也不一定需要约束用户必须按标签来操作资源,具体的情况,可以按实际的工作需求
参考
如何创建 IAM 策略来向 IAM 用户、组或角色显式授予使用标签在指定 VPC 中创建和管理 EC2 实例的权限?
最后更新于
这有帮助吗?