如何限制 Elastic Beanstalk 使用者對特定應用程式的 IAM 權限?
2 分的閱讀內容
0
我想限制 AWS Elastic Beanstalk 使用者對特定應用程式的 AWS Identity and Access Management (IAM) 權限。
簡短描述
使用 IAM 政策限制 Elastic Beanstalk 使用者的權限。Elastic Beanstalk 使用者可以是 IAM 使用者或角色。此政策可以限制對特定應用程式或多個應用程式的存取權。
解決方案
-
建立 IAM 政策,以限制對 Elastic Beanstalk 應用程式的存取權限。使用下列 IAM 政策做為範例範本。
-
將您的 IAM 政策附加至您想限制僅存取特定應用程式或多個應用程式的 IAM 使用者或角色。
如果您使用與 Elastic Beanstalk 整合的服務,例如 Amazon Simple Storage Service (Amazon S3),則使用最小限制允許更大的存取權限。這是由於以下原因:
- 在 Elastic Beanstalk 中,由於應用程式結構為各個元件的集合,您無法直接限制對應用程式的權限。但是,您可以使用動作、資源和條件索引鍵,以更精確的限制權限。如需可根據使用案例用於授予條件式存取的可用條件索引鍵清單,請參閱 Elastic Beanstalk 動作的資源和條件。
- IAM 政策不是保護基礎資源的有效方法。例如,您可以使用適當的 IAM 政策來限制使用者與 Elastic Beanstalk API 互動的方式。但是,您無法阻止具有 Elastic Beanstalk 許可的使用者在其他與 Elastic Beanstalk 無關的 AWS 服務中建立資源。
- Elastic Beanstalk 整合的部分資源不支援資源層級權限。如需詳細資訊,請參閱使用 IAM 的 AWS 服務。
下列範例政策旨在授予對兩個 Elastic Beanstalk 應用程式 (App1 和 App2) 的完整存取權:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticbeanstalk:UpdateApplicationVersion", "elasticbeanstalk:CreateApplicationVersion", "elasticbeanstalk:DeleteApplicationVersion" ], "Resource": "*", "Condition": { "StringEquals": { "elasticbeanstalk:InApplication": [ "arn:aws:elasticbeanstalk:us-east-2:123456789012:application/My App1", "arn:aws:elasticbeanstalk:us-east-2:123456789012:application/My App2" ] } } }, { "Effect": "Allow", "Action": [ "elasticbeanstalk:DescribeAccountAttributes", "elasticbeanstalk:AbortEnvironmentUpdate", "elasticbeanstalk:TerminateEnvironment", "rds:*", "elasticbeanstalk:ValidateConfigurationSettings", "elasticbeanstalk:CheckDNSAvailability", "autoscaling:*", "elasticbeanstalk:RequestEnvironmentInfo", "elasticbeanstalk:RebuildEnvironment", "elasticbeanstalk:DescribeInstancesHealth", "elasticbeanstalk:DescribeEnvironmentHealth", "sns:*", "elasticbeanstalk:RestartAppServer", "s3:*", "cloudformation:*", "elasticloadbalancing:*", "elasticbeanstalk:CreateStorageLocation", "elasticbeanstalk:DescribeEnvironmentManagedActions", "elasticbeanstalk:SwapEnvironmentCNAMEs", "elasticbeanstalk:DescribeConfigurationOptions", "elasticbeanstalk:ApplyEnvironmentManagedAction", "cloudwatch:*", "elasticbeanstalk:CreateEnvironment", "elasticbeanstalk:List*", "elasticbeanstalk:DeleteEnvironmentConfiguration", "elasticbeanstalk:UpdateEnvironment", "ec2:*", "elasticbeanstalk:RetrieveEnvironmentInfo", "elasticbeanstalk:DescribeConfigurationSettings", "sqs:*", "dynamodb:CreateTable", "dynamodb:DescribeTable" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:*" ], "Resource": [ "arn:aws:iam::123456789012:role/aws-elasticbeanstalk-ec2-role", "arn:aws:iam::123456789012:role/aws-elasticbeanstalk-service-role", "arn:aws:iam::123456789012:instance-profile/aws-elasticbeanstalk-ec2-role" ] }, { "Effect": "Allow", "Action": [ "elasticbeanstalk:DescribeEvents", "elasticbeanstalk:DescribeApplications", "elasticbeanstalk:AddTags", "elasticbeanstalk:ListPlatformVersions" ], "Resource": [ "arn:aws:elasticbeanstalk:us-east-2:123456789012:application/My App1", "arn:aws:elasticbeanstalk:us-east-2:123456789012:application/My App2" ] }, { "Effect": "Allow", "Action": [ "elasticbeanstalk:AddTags", "elasticbeanstalk:Describe*" ], "Resource": [ "arn:aws:elasticbeanstalk:*::platform/*", "arn:aws:elasticbeanstalk:*:*:environment/*/*", "arn:aws:elasticbeanstalk:*:*:application/*", "arn:aws:elasticbeanstalk:*::solutionstack/*", "arn:aws:elasticbeanstalk:*:*:applicationversion/*/*", "arn:aws:elasticbeanstalk:*:*:configurationtemplate/*/*" ], "Condition": { "StringEquals": { "elasticbeanstalk:InApplication": [ "arn:aws:elasticbeanstalk:us-east-2:123456789012:application/My App1", "arn:aws:elasticbeanstalk:us-east-2:123456789012:application/My App2" ] } } } ] }
如需更多使用案例和範例,請參閱基於資源權限的範例政策,或基於受管政策的範例政策。
AWS 官方已更新 4 年前
沒有評論
相關內容
- 已提問 6 個月前
- 已提問 1 年前
- AWS 官方已更新 1 年前
- AWS 官方已更新 9 個月前
- AWS 官方已更新 1 年前
- AWS 官方已更新 9 個月前