Política do IAM para restringir o acesso a um VPC

Question

Política do IAM para restringir o acesso a um VPC

#1 resposta do (2 votos)
#2 resposta do (0 votos)
#3 resposta do (-1 votos)

3

Estou tentando restringir usuários a um único VPC. Eu passei por Controle de acesso aos recursos da Amazon VPC e desenvolvi a seguinte política, mas não funciona. Alguém pode apontar os erros?

Devo mencionar que o IAM Policy Simulator parece pensar que a política está bem depois que eu configurei o ARN do VPC sob as chaves de condição nas configurações de simulação.

(Eu substituí a região, conta e vpc-id por valores reais na minha política.)


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:*Vpc*",
                "ec2:*Subnet*",
                "ec2:*Gateway*",
                "ec2:*Vpn*",
                "ec2:*Route*",
                "ec2:*Address*",
                "ec2:*SecurityGroup*",
                "ec2:*NetworkAcl*",
                "ec2:*DhcpOptions*",
                "ec2:RunInstances",
                "ec2:StopInstances",
                "ec2:StartInstances",
                "ec2:TerminateInstances",
                "ec2:Describe*"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "ec2:Vpc": "arn:aws:ec2:region:account:vpc/vpc-id"
                }
            }
        }
    ]
}

Obrigado.

amazon-web-services amazon-vpc amazon-iam

por Satie Sharma 21.01.2014 / 15:14

3 respostas

0

Existem certas permissões que não podem ser aplicadas a um recurso específico. Essas permissões mostrarão um erro quando você verificar a política no IAM.

Para restringir um usuário a uma VPC específica e permitir todas as ações do EC2, a seguinte política pode ajudá-lo a alcançar isso:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "NonResourceBasedReadOnlyPermissions",
        "Action": [
            "ec2:Describe*",
            "ec2:CreateKeyPair",
            "ec2:CreateSecurityGroup",
            "iam:GetInstanceProfiles",
            "iam:ListInstanceProfiles"
        ],
        "Effect": "Allow",
        "Resource": "*"
    },
    {
        "Sid": "IAMPassroleToInstance",
        "Action": [
            "iam:PassRole"
        ],
        "Effect": "Allow",
        "Resource": "arn:aws:iam::123456789012:role/VPCLockDown"
    },
    {
        "Sid": "AllowInstanceActions",
        "Effect": "Allow",
        "Action": [
            "ec2:RebootInstances",
            "ec2:StopInstances",
            "ec2:TerminateInstances",
            "ec2:StartInstances",
            "ec2:AttachVolume",
            "ec2:DetachVolume"
        ],
        "Resource": "arn:aws:ec2:us-east-1:123456789012:instance/*",
        "Condition": {
            "StringEquals": {
                "ec2:InstanceProfile": "arn:aws:iam::123456789012:instance-profile/VPCLockDown"
            }
        }
    },
    {
        "Sid": "EC2RunInstances",
        "Effect": "Allow",
        "Action": "ec2:RunInstances",
        "Resource": "arn:aws:ec2:us-east-1:123456789012:instance/*",
        "Condition": {
            "StringEquals": {
                "ec2:InstanceProfile": "arn:aws:iam::123456789012:instance-profile/VPCLockDown"
            }
        }
    },
    {
        "Sid": "EC2RunInstancesSubnet",
        "Effect": "Allow",
        "Action": "ec2:RunInstances",
        "Resource": "arn:aws:ec2:us-east-1:123456789012:subnet/*",
        "Condition": {
            "StringEquals": {
                "ec2:vpc": "arn:aws:ec2:us-east-1:123456789012:vpc/vpc-7bcd371e"
            }
        }
    },
    {
        "Sid": "RemainingRunInstancePermissions",
        "Effect": "Allow",
        "Action": "ec2:RunInstances",
        "Resource": [
            "arn:aws:ec2:us-east-1:123456789012:volume/*",
            "arn:aws:ec2:us-east-1::image/*",
            "arn:aws:ec2:us-east-1::snapshot/*",
            "arn:aws:ec2:us-east-1:123456789012:network-interface/*",
            "arn:aws:ec2:us-east-1:123456789012:key-pair/*",
            "arn:aws:ec2:us-east-1:123456789012:security-group/*"
        ]
    },
    {
        "Sid": "EC2VpcNonresourceSpecificActions",
        "Effect": "Allow",
        "Action": [
            "ec2:DeleteNetworkAcl",
            "ec2:DeleteNetworkAclEntry",
            "ec2:DeleteRoute",
            "ec2:DeleteRouteTable",
            "ec2:AuthorizeSecurityGroupEgress",
            "ec2:AuthorizeSecurityGroupIngress",
            "ec2:RevokeSecurityGroupEgress",
            "ec2:RevokeSecurityGroupIngress",
            "ec2:DeleteSecurityGroup"
        ],
        "Resource": "*",
        "Condition": {
            "StringEquals": {
                "ec2:vpc": "arn:aws:ec2:us-east-1:123456789012:vpc/vpc-7bcd371e"
            }
        }
    }
]
}

Para entender em detalhes o que cada declaração está fazendo, recomendo que você leia este blog da AWS. Esta política, permite ao usuário:

Faça login no Console de gerenciamento da AWS e vá até o console do Amazon EC2.
Inicie uma instância do EC2, desde que:

Specify a subnet in the proper VPC. Specify the allowed instance profiles.
Iniciar / parar / reinicializar / encerrar / anexar volume / desanexar volume em uma instância, desde que:

Specify an instance launched with the proper instance profiles.
Exclua grupos de segurança, rotas, tabelas de rota, ACLs de rede e entradas de ACL, bem como autorize e revogue as regras de entrada e saída de grupo de segurança, desde que elas estejam no VPC adequado.

por 11.07.2018 / 07:18

-1

Você não pode fazer isso com base em um VPC. A AWS não suporta ações da API do EC2-Descrever * em permissões no nível do recurso. Em vez disso, você pode aplicar algo semelhante com base em um único VPC em um grupo de segurança, conforme mostrado abaixo:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:AcceptVpcPeeringConnection",
                "ec2:AllocateAddress",
                "ec2:AssignPrivateIpAddresses",
                "ec2:AssociateAddress",
                "ec2:AssociateDhcpOptions",
                "ec2:AssociateRouteTable",
                "ec2:AttachClassicLinkVpc",
                "ec2:AttachInternetGateway",
                "ec2:AttachNetworkInterface",
                "ec2:AttachVolume",
                "ec2:AttachVpnGateway",
                "ec2:BundleInstance",
                "ec2:ConfirmProductInstance",
                "ec2:CopyImage",
                "ec2:CopySnapshot",
                "ec2:CreateCustomerGateway",
                "ec2:CreateDhcpOptions",
                "ec2:CreateFlowLogs",
                "ec2:CreateImage",
                "ec2:CreateInstanceExportTask",
                "ec2:CreateInternetGateway",
                "ec2:CreateKeyPair",
                "ec2:CreateNatGateway",
                "ec2:CreateNetworkAcl",
                "ec2:CreateNetworkAclEntry",
                "ec2:CreateNetworkInterface",
                "ec2:CreatePlacementGroup",
                "ec2:CreateReservedInstancesListing",
                "ec2:CreateRoute",
                "ec2:CreateRouteTable",
                "ec2:CreateSnapshot",
                "ec2:CreateSpotDatafeedSubscription",
                "ec2:CreateSubnet",
                "ec2:CreateTags",
                "ec2:CreateVolume",
                "ec2:CreateVpc",
                "ec2:CreateVpcEndpoint",
                "ec2:CreateVpcPeeringConnection",
                "ec2:CreateVpnConnection",
                "ec2:CreateVpnConnectionRoute",
                "ec2:CreateVpnGateway",
                "ec2:DeleteCustomerGateway",
                "ec2:DeleteDhcpOptions",
                "ec2:DeleteFlowLogs",
                "ec2:DeleteInternetGateway",
                "ec2:DeleteKeyPair",
                "ec2:DeleteNatGateway",
                "ec2:DeleteNetworkAcl",
                "ec2:DeleteNetworkAclEntry",
                "ec2:DeleteNetworkInterface",
                "ec2:DeletePlacementGroup",
                "ec2:DeleteRoute",
                "ec2:DeleteRouteTable",
                "ec2:DeleteSnapshot",
                "ec2:DeleteSpotDatafeedSubscription",
                "ec2:DeleteSubnet",
                "ec2:DeleteTags",
                "ec2:DeleteVolume",
                "ec2:DeleteVpc",
                "ec2:DeleteVpcEndpoints",
                "ec2:DeleteVpcPeeringConnection",
                "ec2:DeleteVpnConnection",
                "ec2:DeleteVpnConnectionRoute",
                "ec2:DeleteVpnGateway",
                "ec2:DeregisterImage",
                "ec2:DescribeAccountAttributes",
                "ec2:DescribeAddresses",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeBundleTasks",
                "ec2:DescribeClassicLinkInstances",
                "ec2:DescribeConversionTasks",
                "ec2:DescribeCustomerGateways",
                "ec2:DescribeDhcpOptions",
                "ec2:DescribeExportTasks",
                "ec2:DescribeFlowLogs",
                "ec2:DescribeHosts",
                "ec2:DescribeImageAttribute",
                "ec2:DescribeImages",
                "ec2:DescribeImportImageTasks",
                "ec2:DescribeImportSnapshotTasks",
                "ec2:DescribeInstanceAttribute",
                "ec2:DescribeInstances",
                "ec2:DescribeInstanceStatus",
                "ec2:DescribeInternetGateways",
                "ec2:DescribeKeyPairs",
                "ec2:DescribeMovingAddresses",
                "ec2:DescribeNatGateways",
                "ec2:DescribeNetworkAcls",
                "ec2:DescribeNetworkInterfaceAttribute",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribePlacementGroups",
                "ec2:DescribePrefixLists",
                "ec2:DescribeRegions",
                "ec2:DescribeReservedInstances",
                "ec2:DescribeReservedInstancesListings",
                "ec2:DescribeReservedInstancesModifications",
                "ec2:DescribeReservedInstancesOfferings",
                "ec2:DescribeRouteTables",
                "ec2:DescribeSnapshotAttribute",
                "ec2:DescribeSnapshots",
                "ec2:DescribeSpotDatafeedSubscription",
                "ec2:DescribeSpotFleetInstances",
                "ec2:DescribeSpotFleetInstances",
                "ec2:DescribeSpotFleetRequestHistory",
                "ec2:DescribeSpotFleetRequestHistory",
                "ec2:DescribeSpotFleetRequests",
                "ec2:DescribeSpotFleetRequests",
                "ec2:DescribeSpotInstanceRequests",
                "ec2:DescribeSpotPriceHistory",
                "ec2:DescribeSubnets",
                "ec2:DescribeTags",
                "ec2:DescribeVolumeAttribute",
                "ec2:DescribeVolumes",
                "ec2:DescribeVolumeStatus",
                "ec2:DescribeVpcAttribute",
                "ec2:DescribeVpcClassicLink",
                "ec2:DescribeVpcEndpoints",
                "ec2:DescribeVpcEndpointServices",
                "ec2:DescribeVpcPeeringConnections",
                "ec2:DescribeVpcs",
                "ec2:DescribeVpnConnections",
                "ec2:DescribeVpnGateways",
                "ec2:DetachClassicLinkVpc",
                "ec2:DetachInternetGateway",
                "ec2:DetachNetworkInterface",
                "ec2:DetachVolume",
                "ec2:DetachVpnGateway",
                "ec2:DisableVgwRoutePropagation",
                "ec2:DisableVpcClassicLink",
                "ec2:DisassociateAddress",
                "ec2:DisassociateRouteTable",
                "ec2:EnableVgwRoutePropagation",
                "ec2:EnableVolumeIO",
                "ec2:EnableVpcClassicLink",
                "ec2:GetConsoleOutput",
                "ec2:GetPasswordData",
                "ec2:ImportImage",
                "ec2:ImportInstance",
                "ec2:ImportKeyPair",
                "ec2:ImportSnapshot",
                "ec2:ImportVolume",
                "ec2:ModifyHosts",
                "ec2:ModifyIdFormat",
                "ec2:ModifyImageAttribute",
                "ec2:ModifyInstanceAttribute",
                "ec2:ModifyInstancePlacement",
                "ec2:ModifyNetworkInterfaceAttribute",
                "ec2:ModifyReservedInstances",
                "ec2:ModifySnapshotAttribute",
                "ec2:ModifySpotFleetRequest",
                "ec2:ModifySubnetAttribute",
                "ec2:ModifyVolumeAttribute",
                "ec2:ModifyVpcAttribute",
                "ec2:ModifyVpcEndpoint",
                "ec2:ModifyVpcPeeringConnectionOptions",
                "ec2:MonitorInstances",
                "ec2:MoveAddressToVpc",
                "ec2:PurchaseReservedInstancesOffering",
                "ec2:RebootInstances",
                "ec2:RegisterImage",
                "ec2:RejectVpcPeeringConnection",
                "ec2:ReleaseAddress",
                "ec2:ReportInstanceStatus",
                "ec2:RestoreAddressToClassic",
                "ec2:RunInstances",
                "ec2:StartInstances",
                "ec2:StopInstances",
                "ec2:TerminateInstances",
                "ec2:UnassignPrivateIpAddresses",
                "ec2:UnmonitorInstances",
                "s3:*",
                "elasticloadbalancing:*",
                "autoscaling:*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeTags"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:RevokeSecurityGroupIngress",
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:RevokeSecurityGroupEgress"
            ],
            "Resource": "arn:aws:ec2:REGION:ACCOUNTNUMBER:security-group/*",
            "Condition": {
                "ArnEquals": {
                    "ec2:Vpc": "arn:aws:ec2:REGION:ACCOUNTNUMBER:vpc/VPCID"
                }
            }
        }
    ]
}

Você pode alterar as ações do EC2 dependendo de suas necessidades.

por 15.06.2016 / 09:57

Tags amazon-web-services amazon-vpc amazon-iam

o script do powershell aguarda a saída de impressão até que eu pressione um botão Utilização da Rede de Descoberta do Sistema System Center 2012 R2

score 2 · Accepted Answer

Você provavelmente precisará recompor sua Política do IAM nos termos de Exemplo 5. Iniciando instâncias em um VPC específico dentro do Controle do acesso aos recursos da Amazon VPC :

{
   "Version": "2012-10-17",
   "Statement": [{
      "Effect": "Allow",
      "Action": "ec2:RunInstances",
      "Resource": "arn:aws:ec2:region:account:subnet/*",
        "Condition": {
         "StringEquals": {
            "ec2:Vpc": "arn:aws:ec2:region:account:vpc/vpc-1a2b3c4d"
            }
      }
   },
   ...
   ]
}

Ou seja, os recursos disponíveis (e sua granularidade) são específicos de cada ação da API, portanto, para o exemplo disponível RunInstances aplica-se aos recursos do EC2 em uma sub-rede específica e, por sua vez, faz parte de um VPC; portanto, você precisa segmentar as sub-redes, mas pode restringir ainda mais o conjunto de sub-redes possíveis por meio de seu atributo ec2:Vpc via Condições da Política do IAM , conforme descrito acima.