我正在使用默认策略 Amazonssmmaintainancewindowrole。在该策略中,我修改了 ssm:SendCommand 的权限,以限制对无法正常工作的特定 EC2 实例的访问。如果我将资源作为 ssm:SendCommand 的“*”,它工作正常。请让我知道我在限制访问方面做错了什么。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "0",
"Effect": "Allow",
"Action": [
"ssm:GetAutomationExecution",
"ssm:GetParameters",
"ssm:ListCommands",
"ssm:StartAutomationExecution"
],
"Resource": [
"*"
]
},
{
"Sid": "1",
"Effect": "Allow",
"Action": [
"ssm:SendCommand"
],
"Resource": [
"arn:aws:ec2:eu-west-1:*:instance/myinstance-id",
"arn:aws:s3:::bucketname",
"arn:aws:ssm:us-east-1:*:document/AWS-ApplyPatchBaseline"
]
},
{
"Sid": "2",
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction"
],
"Resource": [
"arn:aws:lambda:*:*:function:SSM*",
"arn:aws:lambda:*:*:function:*:SSM*"
]
},
{
"Sid": "3",
"Effect": "Allow",
"Action": [
"states:DescribeExecution",
"states:StartExecution"
],
"Resource": [
"arn:aws:states:*:*:stateMachine:SSM*",
"arn:aws:states:*:*:execution:SSM*"
]
}
]
}