将 AWS Elastic Beanstalk IAM 角色限制为对一个应用程序的完全访问权限
Restrict AWS Elastic Beanstalk IAM Role to full access for one Application
我正在尝试向 IAM 密码用户授予对 Elastic Beanstalk 应用程序(create/modify/delete 环境)的完全访问权限。按照 AWS 文档 here 导致用户能够看到应用程序但无法查看环境或创建新环境(消息:访问被拒绝,没有进一步说明)。
这是附加的当前政策:
{
"Version": "XXX-XX-XX",
"Statement": [
{
"Sid": "StmtXXXXXXXXX",
"Effect": "Allow",
"Action": [
"elasticbeanstalk:*",
"autoscaling:*"
],
"Resource": [
"arn:aws:elasticbeanstalk:eu-west-1:<accountId>:application/<app-name>",
"arn:aws:elasticbeanstalk:eu-west-1:<accountId>:applicationversion/<app-name>",
"arn:aws:elasticbeanstalk:eu-west-1:<accountId>:environment/<app-name>/*",
"arn:aws:elasticbeanstalk:us-west-1::solutionstack/*"
]
},
{
"Action": [
"elasticbeanstalk:CheckDNSAvailability",
"elasticbeanstalk:CreateStorageLocation",
"autoscaling:DescribeAutoScalingGroups"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
有人做过吗?
这是我用的。我不能被要求进一步分离它。您也可以使用标签。
我做的比较多的是运行越来越多的东西在不同的账户里。如果有单独的应用程序,则很少或根本没有理由将它们放在同一个帐户中。您可以为用户提供跨帐户访问权限。 https://aws.amazon.com/blogs/security/how-to-enable-cross-account-access-to-the-aws-management-console/
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"elasticloadbalancing:Describe*",
"autoscaling:Describe*",
"cloudwatch:Describe*",
"cloudwatch:List*",
"cloudwatch:Get*",
"s3:Get*",
"s3:List*",
"sns:Get*",
"sns:List*",
"cloudformation:Describe*",
"cloudformation:Get*",
"cloudformation:List*",
"cloudformation:Validate*",
"cloudformation:Estimate*",
"rds:Describe*",
"elasticbeanstalk:CreateStorageLocation",
"sqs:Get*",
"sqs:List*",
"autoscaling:SuspendProcesses",
"autoscaling:ResumeProcesses",
"autoscaling:UpdateAutoScalingGroup",
"autoscaling:DescribeAutoScalingGroups",
"cloudformation:UpdateStack",
"cloudformation:DescribeStacks",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress",
"s3:PutObject",
"s3:DeleteObject",
"s3:PutObjectAcl"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer"
],
"Resource": [
"arn:aws:elasticloadbalancing:eu-west-1:12345678910:loadbalancer/*"
]
},
{
"Effect": "Allow",
"Action": [
"elasticbeanstalk:Check*",
"elasticbeanstalk:Describe*",
"elasticbeanstalk:List*",
"elasticbeanstalk:RequestEnvironmentInfo",
"elasticbeanstalk:RetrieveEnvironmentInfo",
"elasticbeanstalk:CreateApplicationVersion",
"elasticbeanstalk:CreateConfigurationTemplate",
"elasticbeanstalk:UpdateApplicationVersion",
"elasticbeanstalk:UpdateConfigurationTemplate",
"elasticbeanstalk:UpdateEnvironment",
"elasticbeanstalk:DescribeEnvironmentResources",
"elasticbeanstalk:ValidateConfigurationSettings"
],
"Resource": [
"*"
],
"Condition": {
"StringEquals": {
"elasticbeanstalk:InApplication": [
"arn:aws:elasticbeanstalk:eu-west-1:12345678910:application/My App"
]
}
}
}
]
}
我正在尝试向 IAM 密码用户授予对 Elastic Beanstalk 应用程序(create/modify/delete 环境)的完全访问权限。按照 AWS 文档 here 导致用户能够看到应用程序但无法查看环境或创建新环境(消息:访问被拒绝,没有进一步说明)。
这是附加的当前政策:
{
"Version": "XXX-XX-XX",
"Statement": [
{
"Sid": "StmtXXXXXXXXX",
"Effect": "Allow",
"Action": [
"elasticbeanstalk:*",
"autoscaling:*"
],
"Resource": [
"arn:aws:elasticbeanstalk:eu-west-1:<accountId>:application/<app-name>",
"arn:aws:elasticbeanstalk:eu-west-1:<accountId>:applicationversion/<app-name>",
"arn:aws:elasticbeanstalk:eu-west-1:<accountId>:environment/<app-name>/*",
"arn:aws:elasticbeanstalk:us-west-1::solutionstack/*"
]
},
{
"Action": [
"elasticbeanstalk:CheckDNSAvailability",
"elasticbeanstalk:CreateStorageLocation",
"autoscaling:DescribeAutoScalingGroups"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
有人做过吗?
这是我用的。我不能被要求进一步分离它。您也可以使用标签。
我做的比较多的是运行越来越多的东西在不同的账户里。如果有单独的应用程序,则很少或根本没有理由将它们放在同一个帐户中。您可以为用户提供跨帐户访问权限。 https://aws.amazon.com/blogs/security/how-to-enable-cross-account-access-to-the-aws-management-console/
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"elasticloadbalancing:Describe*",
"autoscaling:Describe*",
"cloudwatch:Describe*",
"cloudwatch:List*",
"cloudwatch:Get*",
"s3:Get*",
"s3:List*",
"sns:Get*",
"sns:List*",
"cloudformation:Describe*",
"cloudformation:Get*",
"cloudformation:List*",
"cloudformation:Validate*",
"cloudformation:Estimate*",
"rds:Describe*",
"elasticbeanstalk:CreateStorageLocation",
"sqs:Get*",
"sqs:List*",
"autoscaling:SuspendProcesses",
"autoscaling:ResumeProcesses",
"autoscaling:UpdateAutoScalingGroup",
"autoscaling:DescribeAutoScalingGroups",
"cloudformation:UpdateStack",
"cloudformation:DescribeStacks",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress",
"s3:PutObject",
"s3:DeleteObject",
"s3:PutObjectAcl"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer"
],
"Resource": [
"arn:aws:elasticloadbalancing:eu-west-1:12345678910:loadbalancer/*"
]
},
{
"Effect": "Allow",
"Action": [
"elasticbeanstalk:Check*",
"elasticbeanstalk:Describe*",
"elasticbeanstalk:List*",
"elasticbeanstalk:RequestEnvironmentInfo",
"elasticbeanstalk:RetrieveEnvironmentInfo",
"elasticbeanstalk:CreateApplicationVersion",
"elasticbeanstalk:CreateConfigurationTemplate",
"elasticbeanstalk:UpdateApplicationVersion",
"elasticbeanstalk:UpdateConfigurationTemplate",
"elasticbeanstalk:UpdateEnvironment",
"elasticbeanstalk:DescribeEnvironmentResources",
"elasticbeanstalk:ValidateConfigurationSettings"
],
"Resource": [
"*"
],
"Condition": {
"StringEquals": {
"elasticbeanstalk:InApplication": [
"arn:aws:elasticbeanstalk:eu-west-1:12345678910:application/My App"
]
}
}
}
]
}