Política do Amazon AWS IAM para sub-rede VPC única

4

Eu quero criar uma política do IAM que permita que um usuário implante instâncias da seguinte forma:

  1. Eles só podem usar 1 AMI
  2. Eles só podem implantar em uma sub-rede VPC específica
  3. Eles só podem usar um grupo de segurança de VPC específico

Este cenário é abordado na documentação da VPC aqui (Exemplo 4):

link

Eu tentei minha própria versão da política como tal:

{
"Version": "2012-10-17",
"Statement":[{
    "Effect":"Allow",
    "Action": "ec2:RunInstances",
    "Resource": [
        "arn:aws:ec2:eu-west-1:937821706121:image/ami-141ac363",
        "arn:aws:ec2:eu-west-1:937821706121:subnet/subnet-733de516",
        "arn:aws:ec2:eu-west-1:937821706121:network-interface/*",
        "arn:aws:ec2:eu-west-1:937821706121:volume/*",
        "arn:aws:ec2:eu-west-1:937821706121:key-pair/*",
        "arn:aws:ec2:eu-west-1:937821706121:security-group/sg-4aa80f2f"
    ]
}]
}

Não funciona. Recebo permissão negada quando tento implantar instâncias como um usuário que é membro de um grupo ao qual essa política se aplica. Existe alguma outra política que eu precise incluir com isso para permitir a implantação da instância dessa maneira?

    
por Garreth McDaid 05.09.2014 / 17:34

2 respostas

5

Basicamente, a documentação do IAM é totalmente não confiável quando se trata de fazer algo diferente de definir políticas globais de administração ou somente leitura.

Esta é a política que eu finalmente comecei a trabalhar (pelo menos pelo bit da sub-rede):

{
   "Version": "2012-10-17",
   "Statement": [{
      "Effect": "Deny",
      "Action": "ec2:RunInstances",
      "Resource": [
         "arn:aws:ec2:eu-west-1:937821706121:network-interface/*"
      ],
     "Condition": {
         "ArnNotEquals": {
            "ec2:Subnet": "arn:aws:ec2:eu-west-1:937821706121:subnet/subnet-733de516"
            }
      }
   },
   {
      "Effect": "Allow",
      "Action": "ec2:RunInstances",
      "Resource": [
         "arn:aws:ec2:eu-west-1::image/ami-*",
         "arn:aws:ec2:eu-west-1:937821706121:network-interface/*",
         "arn:aws:ec2:eu-west-1:937821706121:instance/*",
         "arn:aws:ec2:eu-west-1:937821706121:subnet/*",
         "arn:aws:ec2:eu-west-1:937821706121:volume/*",
         "arn:aws:ec2:eu-west-1:937821706121:key-pair/*",
         "arn:aws:ec2:eu-west-1:937821706121:security-group/*"
         ]
      }
   ]
}

Isso exigiu muitas tentativas e erros.

Basicamente, quando você deseja limitar o usuário com base em recursos específicos, é necessário criar uma instrução que primeiro negue a capacidade de executar instâncias, a menos que as condições sejam atendidas em recursos específicos da arn e, no final, permitir que elas qualquer coisa.

Atualização:

A Amazon admitiu que seus documentos eram imprecisos:

link

    
por 11.09.2014 / 00:10
-1

Você não pode fazer isso com base em um VPC. A AWS não suporta ações da API do EC2-Descrever * em permissões no nível do recurso. Em vez disso, você pode aplicar algo semelhante com base em um único VPC em um grupo de segurança, conforme mostrado abaixo:

{  
   "Version":"2012-10-17",
   "Statement":[  
      {  
         "Effect":"Allow",
         "Action":[  
            "ec2:AcceptVpcPeeringConnection",
            "ec2:AllocateAddress",
            "ec2:AssignPrivateIpAddresses",
            "ec2:AssociateAddress",
            "ec2:AssociateDhcpOptions",
            "ec2:AssociateRouteTable",
            "ec2:AttachClassicLinkVpc",
            "ec2:AttachInternetGateway",
            "ec2:AttachNetworkInterface",
            "ec2:AttachVolume",
            "ec2:AttachVpnGateway",
            "ec2:BundleInstance",
            "ec2:ConfirmProductInstance",
            "ec2:CopyImage",
            "ec2:CopySnapshot",
            "ec2:CreateCustomerGateway",
            "ec2:CreateDhcpOptions",
            "ec2:CreateFlowLogs",
            "ec2:CreateImage",
            "ec2:CreateInstanceExportTask",
            "ec2:CreateInternetGateway",
            "ec2:CreateKeyPair",
            "ec2:CreateNatGateway",
            "ec2:CreateNetworkAcl",
            "ec2:CreateNetworkAclEntry",
            "ec2:CreateNetworkInterface",
            "ec2:CreatePlacementGroup",
            "ec2:CreateReservedInstancesListing",
            "ec2:CreateRoute",
            "ec2:CreateRouteTable",
            "ec2:CreateSnapshot",
            "ec2:CreateSpotDatafeedSubscription",
            "ec2:CreateSubnet",
            "ec2:CreateTags",
            "ec2:CreateVolume",
            "ec2:CreateVpc",
            "ec2:CreateVpcEndpoint",
            "ec2:CreateVpcPeeringConnection",
            "ec2:CreateVpnConnection",
            "ec2:CreateVpnConnectionRoute",
            "ec2:CreateVpnGateway",
            "ec2:DeleteCustomerGateway",
            "ec2:DeleteDhcpOptions",
            "ec2:DeleteFlowLogs",
            "ec2:DeleteInternetGateway",
            "ec2:DeleteKeyPair",
            "ec2:DeleteNatGateway",
            "ec2:DeleteNetworkAcl",
            "ec2:DeleteNetworkAclEntry",
            "ec2:DeleteNetworkInterface",
            "ec2:DeletePlacementGroup",
            "ec2:DeleteRoute",
            "ec2:DeleteRouteTable",
            "ec2:DeleteSnapshot",
            "ec2:DeleteSpotDatafeedSubscription",
            "ec2:DeleteSubnet",
            "ec2:DeleteTags",
            "ec2:DeleteVolume",
            "ec2:DeleteVpc",
            "ec2:DeleteVpcEndpoints",
            "ec2:DeleteVpcPeeringConnection",
            "ec2:DeleteVpnConnection",
            "ec2:DeleteVpnConnectionRoute",
            "ec2:DeleteVpnGateway",
            "ec2:DeregisterImage",
            "ec2:DescribeAccountAttributes",
            "ec2:DescribeAddresses",
            "ec2:DescribeAvailabilityZones",
            "ec2:DescribeBundleTasks",
            "ec2:DescribeClassicLinkInstances",
            "ec2:DescribeConversionTasks",
            "ec2:DescribeCustomerGateways",
            "ec2:DescribeDhcpOptions",
            "ec2:DescribeExportTasks",
            "ec2:DescribeFlowLogs",
            "ec2:DescribeHosts",
            "ec2:DescribeImageAttribute",
            "ec2:DescribeImages",
            "ec2:DescribeImportImageTasks",
            "ec2:DescribeImportSnapshotTasks",
            "ec2:DescribeInstanceAttribute",
            "ec2:DescribeInstances",
            "ec2:DescribeInstanceStatus",
            "ec2:DescribeInternetGateways",
            "ec2:DescribeKeyPairs",
            "ec2:DescribeMovingAddresses",
            "ec2:DescribeNatGateways",
            "ec2:DescribeNetworkAcls",
            "ec2:DescribeNetworkInterfaceAttribute",
            "ec2:DescribeNetworkInterfaces",
            "ec2:DescribePlacementGroups",
            "ec2:DescribePrefixLists",
            "ec2:DescribeRegions",
            "ec2:DescribeReservedInstances",
            "ec2:DescribeReservedInstancesListings",
            "ec2:DescribeReservedInstancesModifications",
            "ec2:DescribeReservedInstancesOfferings",
            "ec2:DescribeRouteTables",
            "ec2:DescribeSnapshotAttribute",
            "ec2:DescribeSnapshots",
            "ec2:DescribeSpotDatafeedSubscription",
            "ec2:DescribeSpotFleetInstances",
            "ec2:DescribeSpotFleetInstances",
            "ec2:DescribeSpotFleetRequestHistory",
            "ec2:DescribeSpotFleetRequestHistory",
            "ec2:DescribeSpotFleetRequests",
            "ec2:DescribeSpotFleetRequests",
            "ec2:DescribeSpotInstanceRequests",
            "ec2:DescribeSpotPriceHistory",
            "ec2:DescribeSubnets",
            "ec2:DescribeTags",
            "ec2:DescribeVolumeAttribute",
            "ec2:DescribeVolumes",
            "ec2:DescribeVolumeStatus",
            "ec2:DescribeVpcAttribute",
            "ec2:DescribeVpcClassicLink",
            "ec2:DescribeVpcEndpoints",
            "ec2:DescribeVpcEndpointServices",
            "ec2:DescribeVpcPeeringConnections",
            "ec2:DescribeVpcs",
            "ec2:DescribeVpnConnections",
            "ec2:DescribeVpnGateways",
            "ec2:DetachClassicLinkVpc",
            "ec2:DetachInternetGateway",
            "ec2:DetachNetworkInterface",
            "ec2:DetachVolume",
            "ec2:DetachVpnGateway",
            "ec2:DisableVgwRoutePropagation",
            "ec2:DisableVpcClassicLink",
            "ec2:DisassociateAddress",
            "ec2:DisassociateRouteTable",
            "ec2:EnableVgwRoutePropagation",
            "ec2:EnableVolumeIO",
            "ec2:EnableVpcClassicLink",
            "ec2:GetConsoleOutput",
            "ec2:GetPasswordData",
            "ec2:ImportImage",
            "ec2:ImportInstance",
            "ec2:ImportKeyPair",
            "ec2:ImportSnapshot",
            "ec2:ImportVolume",
            "ec2:ModifyHosts",
            "ec2:ModifyIdFormat",
            "ec2:ModifyImageAttribute",
            "ec2:ModifyInstanceAttribute",
            "ec2:ModifyInstancePlacement",
            "ec2:ModifyNetworkInterfaceAttribute",
            "ec2:ModifyReservedInstances",
            "ec2:ModifySnapshotAttribute",
            "ec2:ModifySpotFleetRequest",
            "ec2:ModifySubnetAttribute",
            "ec2:ModifyVolumeAttribute",
            "ec2:ModifyVpcAttribute",
            "ec2:ModifyVpcEndpoint",
            "ec2:ModifyVpcPeeringConnectionOptions",
            "ec2:MonitorInstances",
            "ec2:MoveAddressToVpc",
            "ec2:PurchaseReservedInstancesOffering",
            "ec2:RebootInstances",
            "ec2:RegisterImage",
            "ec2:RejectVpcPeeringConnection",
            "ec2:ReleaseAddress",
            "ec2:ReportInstanceStatus",
            "ec2:RestoreAddressToClassic",
            "ec2:RunInstances",
            "ec2:StartInstances",
            "ec2:StopInstances",
            "ec2:TerminateInstances",
            "ec2:UnassignPrivateIpAddresses",
            "ec2:UnmonitorInstances",
            "s3:",
            "elasticloadbalancing:",
            "autoscaling:"
         ],
         "Resource":""
      },
      {  
         "Effect":"Allow",
         "Action":[  
            "ec2:DescribeSecurityGroups",
            "ec2:DescribeTags"
         ],
         "Resource":""
      },
      {  
         "Effect":"Allow",
         "Action":[  
            "ec2:AuthorizeSecurityGroupIngress",
            "ec2:RevokeSecurityGroupIngress",
            "ec2:AuthorizeSecurityGroupEgress",
            "ec2:RevokeSecurityGroupEgress"
         ],
         "Resource":"arn:aws:ec2:REGION:ACCOUNTNUMBER:security-group/",
         "Condition":{  
            "ArnEquals":{  
               "ec2:Vpc":"arn:aws:ec2:REGION:ACCOUNTNUMBER:vpc/VPCID"
            }
         }
      }
   ]
}

Você pode alterar as ações do EC2 dependendo de suas necessidades.

    
por 15.06.2016 / 10:03