目前正运维一个构筑于aws上的系统,客户将此系统交与我们运维的时候,给了一个类似于根用户的账户给我们,我们也一直用这个账户进行运维,此系统包括两个环境一个是商用环境还有一个是检证环境,为了省钱,检证环境只在工作时间内开启,每天下班之前需要将检证环境的机器关闭。就这样,我们用管理员用户运维了一年半以上了,中间发生了好几次比较严重的问题。。。。比如,关闭检证环境机器的时候,不小心点到了商用环境的db,这可是很严重的问题。。。幸亏这个客户,还不是那么苛刻。。。真是捏了好几次汗。。。。于是下定决心,一定要将这个权限规划规划好。。。。
前两天,简单学习了一下aws的策略,特作此笔记。
在aws中有两种方法指定资源,然后对指定资源进行分配权限。
Resource
1.代表所有资源
"Resource": [
"*"
]
2.指定资源,可以是指定实例,也可以是lb。。。。
"Resource": [
"arn:aws:ec2:ap-northeast-1:account:instance/instanceid1",
"arn:aws:ec2:ap-northeast-1:account:instance/instanceid2",
"arn:aws:ec2:ap-northeast-1:account:instance/instanceid3",
"arn:aws:ec2:ap-northeast-1:account:instance/instanceid4"
]
condition
主要原理就是为资源定义tag,通过指定tag来指定资源
"Condition": {
"StringLike": {
"ec2:ResourceTag/Name2": [
"pro-app*",
"st-*"
]
},
"StringNotEquals": {
"ec2:ResourceTag/Name2": [
"pro-app01",
"pro-app02"
]
}
}
如何解决上面的矛盾,刚开始我是这样想的,将检证环境和商用环境分开,也就是再创建一个IAM用户,该用户专门用于检证环境的操作,该用户拥有的权限很简单,仅查看和操作检证环境的四台机器。但是经过多次尝试,我并未成功,当我为指定资源分配读权限的时候,我所有的读权限都没有了,不可以访问任何资源。找了很多资料,原因就是,对于Resource而言,并不是对所有的接口都支持的控制的,比如对ec2的describe*这个接口就不支持。所以使用resource指定资源,目前是没有办法实现的,那么通过condition指定被操作资源是不是可以呢?我也是调查了一番,没有找到实现的方法,于是就放弃了。
改变初衷,对于新创建的IAM用户而言,他虽然可以看到商用环境的资源,但是没有办法做任何操作,比如创建实例,删除实例,关闭实例等等。。。。于是有了下面的策略。
基于resource实现:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:Describe*",
"ec2:DescribeInstances",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeSubnets",
"cloudwatch:DescribeAlarms"
],
"Resource": "*" //对于常用资源的describe,均允许
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
"elasticloadbalancing:RegisterInstancesWithLoadBalancer"
//在lb加入实例和去除实例
],
"Resource": [
"arn:aws:elasticloadbalancing:ap-northeast-1:account:loadbalancer/st",
"arn:aws:elasticloadbalancing:ap-northeast-1:account:loadbalancer/pro"
//对于商用和检证的lb都可以做上面的操作
]
},
{
"Action": [
"ec2:describe*"
//ec2下的所有的describe操作都可以被允许
],
"Resource": [
"*"
//所有ec2资源
],
"Effect": "Allow"
},
{
"Action": [
"ec2:RebootInstances",
"ec2:StartInstances",
"ec2:StopInstances"
//可以执行的操作
],
"Resource": [
"arn:aws:ec2:ap-northeast-1:account:instance/instance_id1",
"arn:aws:ec2:ap-northeast-1:account:instance/instance_id2",
"arn:aws:ec2:ap-northeast-1:account:instance/instance_id3",
"arn:aws:ec2:ap-northeast-1:account:instance/instance_id4"
//对于指定资源可以执行上面的操作
],
"Effect": "Allow"
},
{
//rds的只读操作
"Action": [
"rds:Describe*",
"rds:ListTagsForResource",
"ec2:DescribeAccountAttributes",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeSecurityGroups",
"ec2:DescribeVpcs"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"cloudwatch:GetMetricStatistics",
"logs:DescribeLogStreams",
"logs:GetLogEvents"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
基于condition实现
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:Describe*",
"ec2:DescribeInstances",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeSubnets",
"cloudwatch:DescribeAlarms"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
"elasticloadbalancing:RegisterInstancesWithLoadBalancer"
],
"Resource": [
"arn:aws:elasticloadbalancing:ap-northeast-1:account:loadbalancer/st",
"arn:aws:elasticloadbalancing:ap-northeast-1:account:loadbalancer/pro"
]
},
{
"Action": [
"ec2:describe*"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"ec2:RebootInstances",
"ec2:StartInstances",
"ec2:StopInstances"
],
"Resource": [
"arn:aws:ec2:ap-northeast-1:account:instance/*"
],
"Effect": "Allow",
//使用condition来判断哪些资源可以被执行上面的操作
"Condition": {
"StringLike": {
"ec2:ResourceTag/Name2": [
"pro-app*",
"st-*"
]
},
//这两个condition之间是并且的关系
"StringNotEquals": {
"ec2:ResourceTag/Name2": [
"pro-app01",
"pro-app02"
]
}
}
},
//rds的只读
{
"Action": [
"rds:Describe*",
"rds:ListTagsForResource",
"ec2:DescribeAccountAttributes",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeSecurityGroups",
"ec2:DescribeVpcs"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"cloudwatch:GetMetricStatistics",
"logs:DescribeLogStreams",
"logs:GetLogEvents"
],
"Effect": "Allow",
"Resource": "*"
}
]
}