3

我正在使用默认策略 Amazonssmmaintainancewindowrole。在该策略中,我修改了 ssm:SendCommand 的权限,以限制对无法正常工作的特定 EC2 实例的访问。如果我将资源作为 ssm:SendCommand 的“*”,它工作正常。请让我知道我在限制访问方面做错了什么。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "0",
            "Effect": "Allow",
            "Action": [
                "ssm:GetAutomationExecution",
                "ssm:GetParameters",
                "ssm:ListCommands",
                "ssm:StartAutomationExecution"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "1",
            "Effect": "Allow",
            "Action": [
                "ssm:SendCommand"
            ],
            "Resource": [
                "arn:aws:ec2:eu-west-1:*:instance/myinstance-id",
                "arn:aws:s3:::bucketname",
                "arn:aws:ssm:us-east-1:*:document/AWS-ApplyPatchBaseline"
            ]
        },
        {
            "Sid": "2",
            "Effect": "Allow",
            "Action": [
                "lambda:InvokeFunction"
            ],
            "Resource": [
                "arn:aws:lambda:*:*:function:SSM*",
                "arn:aws:lambda:*:*:function:*:SSM*"
            ]
        },
        {
            "Sid": "3",
            "Effect": "Allow",
            "Action": [
                "states:DescribeExecution",
                "states:StartExecution"
            ],
            "Resource": [
                "arn:aws:states:*:*:stateMachine:SSM*",
                "arn:aws:states:*:*:execution:SSM*"
            ]
        }
    ]
}
4

0 回答 0