我正在创建一个 IAM 策略来授予第三方开发人员访问权限,以便他们可以通过 ec2-instance-connect 连接到私有子网中的 EC2 实例。
开发人员应仅通过 ec2-connect 连接到特定实例。我如何才能实施该政策?
我的政策如下:
AWSTemplateFormatVersion: 2010-09-09
Description: Template for API functionality xxxxx
Metadata:
'AWS::CloudFormation::Interface':
ParameterGroups:
- Label:
default: Environment basic parameters
Parameters:
- Env
- AccountID
ParameterLabels:
Env:
default: Environment ID
AccountID:
default: Account ID
Parameters:
Env:
Description: Unique environment.
Type: String
Default: lab
AccountID:
Description: Account ID.
Type: String
Default: 11113333444455
Resources:
SiteManagementRole:
Type: 'AWS::IAM::Role'
Properties:
RoleName: !Sub 'Role-${Env}'
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Sid: default
Effect: Allow
Principal:
AWS: !Sub 'arn:aws:iam::${AccountID}:root'
Action: 'sts:AssumeRole'
Path: /
Policies:
- PolicyName: !Sub 'Policy-${Env}'
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: VisualEditor0
Effect: Allow
Action:
- 'ec2-instance-connect:SendSSHPublicKey'
Resource: '*'
- Sid: VisualEditor1
Effect: Allow
Action:
- 'ec2:DescribeImages'
- 'ec2:DescribeInstances'
- 'ec2:DescribeTags'
- 'ec2:DescribeInstanceAttribute'
- 'ec2:DescribeInstanceTypes'
- 'ec2:DescribeInstanceStatus'
Resource: '*'
# Condition:
# StringEquals:
# 'ec2:ResourceTag/Env': !Sub '${Env}'
- Sid: VisualEditor2
Effect: Allow
Action:
- 'logs:ListTagsLogGroup'
- 'logs:GetLogRecord'
- 'logs:DescribeLogGroups'
- 'logs:DescribeLogStreams'
- 'logs:StartQuery'
- 'logs:StopQuery'
- 'logs:TestMetricFilter'
- 'logs:GetLogDelivery'
- 'logs:GetQueryResults'
- 'logs:GetLogEvents'
- 'logs:FilterLogEvents'
- 'logs:GetLogGroupFields'
Resource: '*'
我需要根据标签应用访问限制,但应该有更好的方法来限制开发人员连接到特定实例。
这里 :
Action:
- 'ec2-instance-connect:SendSSHPublicKey'
Resource: '*' <---I dont want it to be *
请帮忙。
提前致谢