【以下的问题经过翻译处理】 所需的策略arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess
看起来像这样:
{
“Version”:“2012-10-17”,
“Statement”:[
{
“Effect”:“Allow”,
“Action”:“ec2:Describe *”,
“Resource”:“*”
},
{
“Effect”:“Allow”,
“Action”:“elasticloadbalancing:Describe *”,
“Resource”:“*”
},
{
“Effect”:“Allow”,
“Action”:[
“cloudwatch:ListMetrics”,
“cloudwatch:GetMetricStatistics”,
“cloudwatch:Describe *”
],
“Resource”:“*”
},
{
“Effect”:“Allow”,
“Action”:“autoscaling:Describe *”,
“Resource”:“*”
}
]
}
这可使IAM用户执行大多数ec2读取功能。
问题是这太宽容了。我需要做的是允许所有与此相同的功能,但仅适用于某些实例。因此,我尝试使用实例ID列表instanceids
(使用Python boto3)来隔离此:
ResourceIds = [ f"arn:aws:ec2:{REGION_NAME}:{AWS_ACCOUNTID}:instance/{iid}" for iid in instanceids]
Ec2ReadOnlyPolicy = {
“Version”:“2012-10-17”,
“Statement”:[
{
“Effect”:“Allow”,
“Action”:“ec2:Describe *”,
“Resource”:ResourceIds
},
{
“Effect”:“Allow”,
“Action”:“elasticloadbalancing:Describe *”,
“Resource”:ResourceIds
},
{
“Effect”:“Allow”,
“Action”:[
“cloudwatch:ListMetrics”,
“cloudwatch:GetMetricStatistics”,
“cloudwatch:Describe *”
],
“Resource”:ResourceIds
},
{
“Effect”:“Allow”,
“Action”:“autoscaling:Describe *”,
“Resource”:ResourceIds