我该如何限制 Elastic Beanstalk 用户或应用程序的 IAM 权限?
2 分钟阅读
0
在创建新的 Elastic Beanstalk 环境时,我想要限制 AWS Elastic Beanstalk 用户或应用程序的 AWS Identity and Access Management(IAM)权限。
简短描述
您可以通过使用 IAM 策略限制 IAM 用户或角色的权限。该策略可以限制对单个环境或应用程序的访问权。
完成下面其中一个部分中的步骤:
-
仅限制对单个环境或应用程序的 IAM 访问权
-
仅限制对 Elastic Beanstalk 服务的 IAM 访问权
**注意:**关于如何组合 IAM 策略对单个应用程序的访问加以限制的示例,见基于托管策略的示例策略或基于资源权限的示例策略。
解决方法
仅限制对单个环境或应用程序的 IAM 访问权
创建一个 IAM 策略,以限制对您的 Elastic Beanstalk 环境或应用程序的访问权。
请考虑以下事项:
- 在 Elastic Beanstalk 中,由于您的应用程序的结构为各个组件(如环境、版本和环境配置)的集合,您无法直接限制对您的应用程序的权限。但是,您可以使用操作、资源和条件键以更精细的级别限制权限。
- IAM 策略不是保护底层资源的有效方式。例如,您可以使用适当的 IAM 策略限制用户与 Elastic Beanstalk API 的交互方式。但是,您无法阻止具有 Elastic Beanstalk 权限的用户在与 Elastic Beanstalk 无关的其他 AWS 服务中创建资源。
- Elastic Beanstalk 集成的某些资源不支持资源级权限。有关更多信息,请参阅使用 IAM 的 AWS 服务。
以下 IAM 策略示例赋予对两个 Elastic Beanstalk 应用程序—App1 和 App2 的完全访问权限:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticbeanstalk:UpdateApplicationVersion", "elasticbeanstalk:CreateApplicationVersion", "elasticbeanstalk:DeleteApplicationVersion" ], "Resource": "*", "Condition": { "StringEquals": { "elasticbeanstalk:InApplication": ["arn:aws:elasticbeanstalk:us-east-2:123456789012:application/My App1", "arn:aws:elasticbeanstalk:us-east-2:123456789012:application/My App2"] } } }, { "Effect": "Allow", "Action": [ "elasticbeanstalk:DescribeAccountAttributes", "elasticbeanstalk:AbortEnvironmentUpdate", "elasticbeanstalk:TerminateEnvironment", "rds:*", "elasticbeanstalk:ValidateConfigurationSettings", "elasticbeanstalk:CheckDNSAvailability", "autoscaling:*", "elasticbeanstalk:RequestEnvironmentInfo", "elasticbeanstalk:RebuildEnvironment", "elasticbeanstalk:DescribeInstancesHealth", "elasticbeanstalk:DescribeEnvironmentHealth", "sns:*", "elasticbeanstalk:RestartAppServer", "s3:*", "cloudformation:*", "elasticloadbalancing:*", "elasticbeanstalk:CreateStorageLocation", "elasticbeanstalk:DescribeEnvironmentManagedActions", "elasticbeanstalk:SwapEnvironmentCNAMEs", "elasticbeanstalk:DescribeConfigurationOptions", "elasticbeanstalk:ApplyEnvironmentManagedAction", "cloudwatch:*", "elasticbeanstalk:CreateEnvironment", "elasticbeanstalk:List*", "elasticbeanstalk:DeleteEnvironmentConfiguration", "elasticbeanstalk:UpdateEnvironment", "ec2:*", "elasticbeanstalk:RetrieveEnvironmentInfo", "elasticbeanstalk:DescribeConfigurationSettings", "sqs:*", "dynamodb:CreateTable", "dynamodb:DescribeTable" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:*" ], "Resource": [ "arn:aws:iam::123456789012:role/aws-elasticbeanstalk-ec2-role", "arn:aws:iam::123456789012:role/aws-elasticbeanstalk-service-role", "arn:aws:iam::123456789012:instance-profile/aws-elasticbeanstalk-ec2-role" ] }, { "Effect": "Allow", "Action": [ "elasticbeanstalk:DescribeEvents", "elasticbeanstalk:DescribeApplications", "elasticbeanstalk:AddTags", "elasticbeanstalk:ListPlatformVersions" ], "Resource": ["arn:aws:elasticbeanstalk:us-east-2:123456789012:application/My App1", "arn:aws:elasticbeanstalk:us-east-2:123456789012:application/My App2"] }, { "Effect": "Allow", "Action": [ "elasticbeanstalk:AddTags", "elasticbeanstalk:Describe*" ], "Resource": [ "arn:aws:elasticbeanstalk:*::platform/*", "arn:aws:elasticbeanstalk:*:*:environment/*/*", "arn:aws:elasticbeanstalk:*:*:application/*", "arn:aws:elasticbeanstalk:*::solutionstack/*", "arn:aws:elasticbeanstalk:*:*:applicationversion/*/*", "arn:aws:elasticbeanstalk:*:*:configurationtemplate/*/*" ], "Condition": { "StringEquals": { "elasticbeanstalk:InApplication": ["arn:aws:elasticbeanstalk:us-east-2:123456789012:application/My App1", "arn:aws:elasticbeanstalk:us-east-2:123456789012:application/My App2"] } } } ] }
**重要提示:**若您不使用默认的 Elastic Beanstalk 服务角色和实例配置文件,则更新之前具有您的自定义服务角色和实例配置文件的 IAM 策略。
如需关于限制 Elastic Beanstalk 应用程序访问权限的更多信息,见 Elastic Beanstalk 操作的资源和条件。
仅限制对 Elastic Beanstalk 服务的 IAM 访问权
重要提示: 以下步骤仅适用于新的 Elastic Beanstalk 环境或应用程序。
- 为您的 Elastic Beanstalk 环境或应用程序创建单独的 AWS 账户。
- 使用 AWS Organizations 将单独的账户与您的主 AWS 账户连接。
AWS 官方已更新 3 年前
没有评论
相关内容
- 已提问 4 个月前
- 已提问 4 个月前
- AWS 官方已更新 1 年前
- AWS 官方已更新 1 年前
- AWS 官方已更新 8 个月前