本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
基于资源权限的示例策略
本部分介绍了一个使用案例,用于说明如何控制 Elastic Beanstalk 操作(访问特定 Elastic Beanstalk 资源)的用户权限。我们将介绍支持此使用案例的示例策略。有关 Elastic Beanstalk 资源的更多信息,请参阅创建自定义用户策略。有关将策略附加到用户和组的信息,请转到《使用 AWS Identity and Access Management》中的管理 IAM 策略。
在使用案例中,Example Corp. 是一家为两类不同客户开发应用程序的小型咨询公司。John 是开发经理,负责监管 app1 和 app2 这两种 Elastic Beanstalk 应用程序的开发。John 会对这两种应用程序执行一些开发和测试工作,且只有他能为这两种应用程序更新生产环境。对于 app1 和 app2,他需要拥有以下权限:
-
查看应用程序、应用程序版本、环境和配置模板
-
创建应用程序版本并将它们部署到过渡环境
-
更新生产环境
-
创建和终止环境
Jill 是一名测试人员,为监控和测试这两种应用程序,她需要拥有以下资源的查看权限:应用程序、应用程序版本、环境和配置模板。但是,她不应具有更改任何 Elastic Beanstalk 资源的权限。
Jack 是 app1 的开发人员,需要拥有查看所有 app1 资源的权限,且还需要为 app1 创建应用程序版本并将应用程序版本部署到过渡环境。
Judy 是 Example Corp AWS 账户的管理员。她已为 John、Jill 和 Jack 创建了 IAM 用户并将以下策略附加到这些用户,从而针对 app1 和 app2 应用程序授予相应权限。
示例 1:John – app1、app2 的开发经理
我们已将 John 的策略细分成三项独立策略,以便易于读取和管理它们。通过结合这些示例,可授予 John 对这两个应用程序执行开发、测试和部署操作所需的权限。
第一个策略指定了 Auto Scaling、Amazon S3、Amazon EC2、CloudWatch、Amazon SNS、Elastic Load Balancing、Amazon RDS 和 AWS CloudFormation 的操作。在创建环境时,Elastic Beanstalk 依靠这些附加服务来配置底层资源。
请注意,此策略是一个示例。它为 AWS 产品提供了宽泛的权限,Elastic Beanstalk 可使用这些权限管理应用程序和环境。例如,ec2:* 允许 IAM 用户对 AWS 账户中的任何 Amazon EC2 资源执行任何操作。这些权限并不限于与 Elastic Beanstalk 配合使用的资源。作为最佳实践,您仅应向个人授予他们履行职责所需的权限。
{
"Version": "2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"ec2:*",
"ecs:*",
"ecr:*",
"elasticloadbalancing:*",
"autoscaling:*",
"cloudwatch:*",
"s3:*",
"sns:*",
"cloudformation:*",
"dynamodb:*",
"rds:*",
"sqs:*",
"logs:*",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:PassRole",
"iam:ListRolePolicies",
"iam:ListAttachedRolePolicies",
"iam:ListInstanceProfiles",
"iam:ListRoles",
"iam:ListServerCertificates",
"acm:DescribeCertificate",
"acm:ListCertificates",
"codebuild:CreateProject",
"codebuild:DeleteProject",
"codebuild:BatchGetBuilds",
"codebuild:StartBuild"
],
"Resource":"*"
}
]
}第二项策略指定了 John 可以对 app1 和 app2 资源执行的 Elastic Beanstalk 操作。AllCallsInApplications 语句允许对 app1 和 app2 内的所有资源执行任何 Elastic Beanstalk 操作("elasticbeanstalk:*")(例如,elasticbeanstalk:CreateEnvironment)。AllCallsOnApplications 语句允许对 app1 和 app2 应用程序资源执行任何 Elastic Beanstalk 操作("elasticbeanstalk:*")(例如,elasticbeanstalk:DescribeApplications、elasticbeanstalk:UpdateApplication 等)。AllCallsOnSolutionStacks 语句允许对解决方案堆栈资源执行任何 Elastic Beanstalk 操作("elasticbeanstalk:*")(例如,elasticbeanstalk:ListAvailableSolutionStacks)。
{
"Version": "2012-10-17",
"Statement":[
{
"Sid":"AllCallsInApplications",
"Action":[
"elasticbeanstalk:*"
],
"Effect":"Allow",
"Resource":[
"*"
],
"Condition":{
"StringEquals":{
"elasticbeanstalk:InApplication":[
"arn:aws:elasticbeanstalk:us-east-2:123456789012:application/app1",
"arn:aws:elasticbeanstalk:us-east-2:123456789012:application/app2"
]
}
}
},
{
"Sid":"AllCallsOnApplications",
"Action":[
"elasticbeanstalk:*"
],
"Effect":"Allow",
"Resource":[
"arn:aws:elasticbeanstalk:us-east-2:123456789012:application/app1",
"arn:aws:elasticbeanstalk:us-east-2:123456789012:application/app2"
]
},
{
"Sid":"AllCallsOnSolutionStacks",
"Action":[
"elasticbeanstalk:*"
],
"Effect":"Allow",
"Resource":[
"arn:aws:elasticbeanstalk:us-east-2::solutionstack/*"
]
}
]
}第三项策略指定了第二项策略需要获取 Elastic Beanstalk 操作权限才能完成的那些 Elastic Beanstalk 操作。AllNonResourceCalls 语句允许执行 elasticbeanstalk:CheckDNSAvailability 操作(即调用 elasticbeanstalk:CreateEnvironment 所需的操作)及其他操作。此语句还允许执行 elasticbeanstalk:CreateStorageLocation 操作(即 elasticbeanstalk:CreateApplication、elasticbeanstalk:CreateEnvironment 所需的操作)及其他操作。
{
"Version": "2012-10-17",
"Statement":[
{
"Sid":"AllNonResourceCalls",
"Action":[
"elasticbeanstalk:CheckDNSAvailability",
"elasticbeanstalk:CreateStorageLocation"
],
"Effect":"Allow",
"Resource":[
"*"
]
}
]
}示例 2:Jill – app1、app2 的测试人员
我们已将 Jill 的策略细分成三项独立策略,以便易于读取和管理它们。通过结合这些示例,可授予 Jill 对这两种应用程序执行测试和监控操作所需的权限。
第一个策略指定了针对 Auto Scaling、Amazon S3、Amazon EC2、CloudWatch、Amazon SNS、Elastic Load Balancing、Amazon RDS 和 AWS CloudFormation 的 Describe*、List* 和 Get* 操作(适用于非早期容器类型),使得 Elastic Beanstalk 操作可以检索有关 app1 和 app2 应用程序的底层资源的信息。
{
"Version": "2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"ec2:Describe*",
"elasticloadbalancing:Describe*",
"autoscaling:Describe*",
"cloudwatch:Describe*",
"cloudwatch:List*",
"cloudwatch:Get*",
"s3:Get*",
"s3:List*",
"sns:Get*",
"sns:List*",
"rds:Describe*",
"cloudformation:Describe*",
"cloudformation:Get*",
"cloudformation:List*",
"cloudformation:Validate*",
"cloudformation:Estimate*"
],
"Resource":"*"
}
]
}第二项策略指定了 Jill 可以对 app1 和 app2 资源执行的 Elastic Beanstalk 操作。AllReadCallsInApplications 语句允许 Jill 调用 Describe* 操作和环境信息操作。AllReadCallsOnApplications 语句允许 Jill 对 app1 和 app2 应用程序资源调用 DescribeApplications 和 DescribeEvents 操作。AllReadCallsOnSolutionStacks 语句允许对解决方案堆栈资源的执行查看操作(ListAvailableSolutionStacks、DescribeConfigurationOptions 和 ValidateConfigurationSettings)。
{
"Version": "2012-10-17",
"Statement":[
{
"Sid":"AllReadCallsInApplications",
"Action":[
"elasticbeanstalk:Describe*",
"elasticbeanstalk:RequestEnvironmentInfo",
"elasticbeanstalk:RetrieveEnvironmentInfo"
],
"Effect":"Allow",
"Resource":[
"*"
],
"Condition":{
"StringEquals":{
"elasticbeanstalk:InApplication":[
"arn:aws:elasticbeanstalk:us-east-2:123456789012:application/app1",
"arn:aws:elasticbeanstalk:us-east-2:123456789012:application/app2"
]
}
}
},
{
"Sid":"AllReadCallsOnApplications",
"Action":[
"elasticbeanstalk:DescribeApplications",
"elasticbeanstalk:DescribeEvents"
],
"Effect":"Allow",
"Resource":[
"arn:aws:elasticbeanstalk:us-east-2:123456789012:application/app1",
"arn:aws:elasticbeanstalk:us-east-2:123456789012:application/app2"
]
},
{
"Sid":"AllReadCallsOnSolutionStacks",
"Action":[
"elasticbeanstalk:ListAvailableSolutionStacks",
"elasticbeanstalk:DescribeConfigurationOptions",
"elasticbeanstalk:ValidateConfigurationSettings"
],
"Effect":"Allow",
"Resource":[
"arn:aws:elasticbeanstalk:us-east-2::solutionstack/*"
]
}
]
}第三项策略指定了第二项策略需要获取 Elastic Beanstalk 操作权限才能完成的那些 Elastic Beanstalk 操作。AllNonResourceCalls 语句允许执行 elasticbeanstalk:CheckDNSAvailability 操作,这是一些查看操作所需要的操作。
{
"Version": "2012-10-17",
"Statement":[
{
"Sid":"AllNonResourceCalls",
"Action":[
"elasticbeanstalk:CheckDNSAvailability"
],
"Effect":"Allow",
"Resource":[
"*"
]
}
]
}示例 3:Jack – app1 的开发人员
我们已将 Jack 的策略细分成三项独立策略,以便易于读取和管理它们。通过结合这些示例,可授予 Jack 对 app1 资源执行测试、监控和部署操作所需的权限。
第一个策略指定了针对 Auto Scaling、Amazon S3、Amazon EC2、CloudWatch、Amazon SNS、Elastic Load Balancing、Amazon RDS 和 AWS CloudFormation 的操作(适用于非早期容器类型),使得 Elastic Beanstalk 操作可以处理 app1 的底层资源。有关支持的非早期容器类型的列表,请参阅为什么某些平台版本标记为传统版本?
请注意,此策略是一个示例。它为 AWS 产品提供了宽泛的权限,Elastic Beanstalk 可使用这些权限管理应用程序和环境。例如,ec2:* 允许 IAM 用户对 AWS 账户中的任何 Amazon EC2 资源执行任何操作。这些权限并不限于与 Elastic Beanstalk 配合使用的资源。作为最佳实践,您仅应向个人授予他们履行职责所需的权限。
{
"Version": "2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"ec2:*",
"elasticloadbalancing:*",
"autoscaling:*",
"cloudwatch:*",
"s3:*",
"sns:*",
"rds:*",
"cloudformation:*"
],
"Resource":"*"
}
]
}第二项策略指定了 Jack 可以对 app1 资源执行的 Elastic Beanstalk 操作。
{
"Version": "2012-10-17",
"Statement":[
{
"Sid":"AllReadCallsAndAllVersionCallsInApplications",
"Action":[
"elasticbeanstalk:Describe*",
"elasticbeanstalk:RequestEnvironmentInfo",
"elasticbeanstalk:RetrieveEnvironmentInfo",
"elasticbeanstalk:CreateApplicationVersion",
"elasticbeanstalk:DeleteApplicationVersion",
"elasticbeanstalk:UpdateApplicationVersion"
],
"Effect":"Allow",
"Resource":[
"*"
],
"Condition":{
"StringEquals":{
"elasticbeanstalk:InApplication":[
"arn:aws:elasticbeanstalk:us-east-2:123456789012:application/app1"
]
}
}
},
{
"Sid":"AllReadCallsOnApplications",
"Action":[
"elasticbeanstalk:DescribeApplications",
"elasticbeanstalk:DescribeEvents"
],
"Effect":"Allow",
"Resource":[
"arn:aws:elasticbeanstalk:us-east-2:123456789012:application/app1"
]
},
{
"Sid":"UpdateEnvironmentInApplications",
"Action":[
"elasticbeanstalk:UpdateEnvironment"
],
"Effect":"Allow",
"Resource":[
"arn:aws:elasticbeanstalk:us-east-2:123456789012:environment/app1/app1-staging*"
],
"Condition":{
"StringEquals":{
"elasticbeanstalk:InApplication":[
"arn:aws:elasticbeanstalk:us-east-2:123456789012:application/app1"
]
},
"StringLike":{
"elasticbeanstalk:FromApplicationVersion":[
"arn:aws:elasticbeanstalk:us-east-2:123456789012:applicationversion/app1/*"
]
}
}
},
{
"Sid":"AllReadCallsOnSolutionStacks",
"Action":[
"elasticbeanstalk:ListAvailableSolutionStacks",
"elasticbeanstalk:DescribeConfigurationOptions",
"elasticbeanstalk:ValidateConfigurationSettings"
],
"Effect":"Allow",
"Resource":[
"arn:aws:elasticbeanstalk:us-east-2::solutionstack/*"
]
}
]
}第三项策略指定了第二项策略需要获取 Elastic Beanstalk 操作权限才能完成的那些 Elastic Beanstalk 操作。AllNonResourceCalls 语句允许执行 elasticbeanstalk:CheckDNSAvailability 操作(即调用 elasticbeanstalk:CreateEnvironment 所需的操作)及其他操作。此语句还允许执行 elasticbeanstalk:CreateStorageLocation 操作(即 elasticbeanstalk:CreateEnvironment 所需的操作)及其他操作。
{
"Version": "2012-10-17",
"Statement":[
{
"Sid":"AllNonResourceCalls",
"Action":[
"elasticbeanstalk:CheckDNSAvailability",
"elasticbeanstalk:CreateStorageLocation"
],
"Effect":"Allow",
"Resource":[
"*"
]
}
]
}