We are currently operating and maintaining a system built on aws. When the customer handed this system to us for operation and maintenance, he gave us an account similar to the root user, and we have been using this account for operation and maintenance. This system includes two One is a commercial environment and the other is a verification environment. In order to save money, the verification environment is only opened during working hours, and the machines in the verification environment need to be turned off before get off work every day. In this way, we have used the administrator user to operate and maintain for more than a year and a half, and several serious problems have occurred in the middle. . . . For example, when shutting down the verification environment machine, accidentally clicked on the db of the commercial environment, which is a very serious problem. . . Fortunately, this client is not so harsh. . . Really pinched a lot of sweat. . . . So I made up my mind to plan this permission well. . . .
Two days ago, I simply learned the strategy of aws and made this note.
There are two ways to specify resources in aws, and then assign permissions to the specified resources.
Resource
1. Represents all resources
"Resource": [
"*"
]
2. Specify the resource, which can be a specified instance or lb. . . .
"Resource": [
"arn:aws:ec2:ap-northeast-1:account:instance/instanceid1",
"arn:aws:ec2:ap-northeast-1:account:instance/instanceid2",
"arn:aws:ec2:ap-northeast-1:account:instance/instanceid3",
"arn:aws:ec2:ap-northeast-1:account:instance/instanceid4"
]
condition
The main principle is to define tags for resources, and specify resources by specifying tags
"Condition": {
"StringLike": {
"ec2:ResourceTag/Name2": [
"pro-app*",
"st-*"
]
},
"StringNotEquals": {
"ec2:ResourceTag/Name2": [
"pro-app01",
"pro-app02"
]
}
}
How to solve the above contradiction, at first I thought this way, separate the verification environment from the commercial environment, that is, create another IAM user, this user is specially used for the operation of the verification environment, and the permissions that this user has are very simple. View and operate only the four machines of the verification environment. But after many attempts, I failed. When I assign read permissions to the specified resources, all my read permissions are gone, and I cannot access any resources. I found a lot of information, the reason is that, for Resource, it does not support the control of all interfaces, such as the describe* interface of ec2 is not supported. Therefore, there is currently no way to use resource to specify resources, so is it possible to specify the operated resource through condition? I also did some research and couldn't find a way to implement it, so I gave up.
Change the original intention. For the newly created IAM user, although he can see the resources of the commercial environment, there is no way to do any operations, such as creating an instance, deleting an instance, closing an instance, and so on. . . . Hence the following strategy.
Based on resource implementation:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:Describe*",
"ec2:DescribeInstances",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeSubnets",
"cloudwatch:DescribeAlarms"
],
"Resource": "*" //For describe of common resources, all are allowed
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
"elasticloadbalancing:RegisterInstancesWithLoadBalancer"
//Add instance and remove instance in lb
],
"Resource": [
"arn:aws:elasticloadbalancing:ap-northeast-1:account:loadbalancer/st",
"arn:aws:elasticloadbalancing:ap-northeast-1:account:loadbalancer/pro"
//The above operations can be done for both commercial and certified lbs
]
},
{
"Action": [
"ec2:describe*"
//All describe operations under ec2 can be allowed
],
"Resource": [
"*"
//all ec2 resources
],
"Effect": "Allow"
},
{
"Action": [
"ec2:RebootInstances",
"ec2:StartInstances",
"ec2: StopInstances"
// Actions that can be performed
],
"Resource": [
"arn:aws:ec2:ap-northeast-1:account:instance/instance_id1",
"arn:aws:ec2:ap-northeast-1:account:instance/instance_id2",
"arn:aws:ec2:ap-northeast-1:account:instance/instance_id3",
"arn:aws:ec2:ap-northeast-1:account:instance/instance_id4"
//The above operation can be performed for the specified resource
],
"Effect": "Allow"
},
{
//Read-only operation of rds
"Action": [
"rds:Describe*",
"rds:ListTagsForResource",
"ec2:DescribeAccountAttributes",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeSecurityGroups",
"ec2:DescribeVpcs"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"cloudwatch:GetMetricStatistics",
"logs:DescribeLogStreams",
"logs:GetLogEvents"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
Implementation based on condition
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:Describe*",
"ec2:DescribeInstances",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeSubnets",
"cloudwatch:DescribeAlarms"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
"elasticloadbalancing:RegisterInstancesWithLoadBalancer"
],
"Resource": [
"arn:aws:elasticloadbalancing:ap-northeast-1:account:loadbalancer/st",
"arn:aws:elasticloadbalancing:ap-northeast-1:account:loadbalancer/pro"
]
},
{
"Action": [
"ec2:describe*"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"ec2:RebootInstances",
"ec2:StartInstances",
"ec2: StopInstances"
],
"Resource": [
"arn:aws:ec2:ap-northeast-1:account:instance/*"
],
"Effect": "Allow",
//Use condition to determine which resources can be executed with the above operation
"Condition": {
"StringLike": {
"ec2:ResourceTag/Name2": [
"pro-app*",
"st-*"
]
},
//The relationship between the two conditions is and
"StringNotEquals": {
"ec2:ResourceTag/Name2": [
"pro-app01",
"pro-app02"
]
}
}
},
//read-only for rds
{
"Action": [
"rds:Describe*",
"rds:ListTagsForResource",
"ec2:DescribeAccountAttributes",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeSecurityGroups",
"ec2:DescribeVpcs"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"cloudwatch:GetMetricStatistics",
"logs:DescribeLogStreams",
"logs:GetLogEvents"
],
"Effect": "Allow",
"Resource": "*"
}
]
}