本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
AWSServiceRoleForImageBuilder
描述:允許 EC2ImageBuilder 代表您呼叫 AWS 服務。
AWSServiceRoleForImageBuilder 是AWS 受管政策。
使用此政策
此政策會連接至服務連結角色,讓服務代表您執行動作。您無法將此政策連接至使用者、群組或角色。
政策詳細資訊
-
類型:服務連結角色政策
-
建立時間:2019 年 11 月 29 日 22:02 UTC
-
編輯時間:2024 年 12 月 26 日 23:52 UTC
-
ARN:
arn:aws:iam::aws:policy/aws-service-role/AWSServiceRoleForImageBuilder
政策版本
政策版本: v20 (預設)
政策的預設版本是定義政策許可的版本。當具有 政策的使用者或角色提出存取 AWS 資源的請求時, 會 AWS 檢查政策的預設版本,以決定是否允許請求。
JSON 政策文件
{
"Version" : "2012-10-17",
"Statement" : [
{
"Effect" : "Allow",
"Action" : "ec2:RegisterImage",
"Resource" : [
"arn:aws:ec2:*::image/*"
],
"Condition" : {
"StringEquals" : {
"aws:RequestTag/CreatedBy" : "EC2 Image Builder"
}
}
},
{
"Effect" : "Allow",
"Action" : "ec2:RegisterImage",
"Resource" : [
"arn:aws:ec2:*::snapshot/*"
],
"Condition" : {
"StringEquals" : {
"ec2:ResourceTag/CreatedBy" : "EC2 Image Builder"
}
}
},
{
"Effect" : "Allow",
"Action" : [
"ec2:RunInstances"
],
"Resource" : [
"arn:aws:ec2:*::image/*",
"arn:aws:ec2:*::snapshot/*",
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:key-pair/*",
"arn:aws:ec2:*:*:launch-template/*",
"arn:aws:license-manager:*:*:license-configuration:*"
]
},
{
"Effect" : "Allow",
"Action" : [
"ec2:RunInstances"
],
"Resource" : [
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:instance/*"
],
"Condition" : {
"StringEquals" : {
"aws:RequestTag/CreatedBy" : [
"EC2 Image Builder",
"EC2 Fast Launch"
]
}
}
},
{
"Effect" : "Allow",
"Action" : "iam:PassRole",
"Resource" : "*",
"Condition" : {
"StringEquals" : {
"iam:PassedToService" : [
"ec2.amazonaws.com",
"ec2.amazonaws.com.rproxy.goskope.com.cn",
"vmie.amazonaws.com"
]
}
}
},
{
"Effect" : "Allow",
"Action" : [
"ec2:StopInstances",
"ec2:StartInstances",
"ec2:TerminateInstances"
],
"Resource" : "*",
"Condition" : {
"StringEquals" : {
"ec2:ResourceTag/CreatedBy" : "EC2 Image Builder"
}
}
},
{
"Effect" : "Allow",
"Action" : [
"ec2:CopyImage",
"ec2:CreateImage",
"ec2:CreateLaunchTemplate",
"ec2:DeregisterImage",
"ec2:DescribeImages",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstanceStatus",
"ec2:DescribeInstances",
"ec2:DescribeInstanceTypeOfferings",
"ec2:DescribeInstanceTypes",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:ModifyImageAttribute",
"ec2:DescribeImportImageTasks",
"ec2:DescribeExportImageTasks",
"ec2:DescribeSnapshots",
"ec2:DescribeHosts"
],
"Resource" : "*"
},
{
"Effect" : "Allow",
"Action" : [
"ec2:ModifySnapshotAttribute"
],
"Resource" : "arn:aws:ec2:*::snapshot/*",
"Condition" : {
"StringEquals" : {
"ec2:ResourceTag/CreatedBy" : "EC2 Image Builder"
}
}
},
{
"Effect" : "Allow",
"Action" : [
"ec2:CreateTags"
],
"Resource" : "*",
"Condition" : {
"StringEquals" : {
"ec2:CreateAction" : [
"RunInstances",
"CreateImage"
],
"aws:RequestTag/CreatedBy" : [
"EC2 Image Builder",
"EC2 Fast Launch"
]
}
}
},
{
"Effect" : "Allow",
"Action" : [
"ec2:CreateTags"
],
"Resource" : [
"arn:aws:ec2:*::image/*",
"arn:aws:ec2:*:*:export-image-task/*"
]
},
{
"Effect" : "Allow",
"Action" : [
"ec2:CreateTags"
],
"Resource" : [
"arn:aws:ec2:*::snapshot/*",
"arn:aws:ec2:*:*:launch-template/*"
],
"Condition" : {
"StringEquals" : {
"aws:RequestTag/CreatedBy" : [
"EC2 Image Builder",
"EC2 Fast Launch"
]
}
}
},
{
"Effect" : "Allow",
"Action" : [
"license-manager:UpdateLicenseSpecificationsForResource"
],
"Resource" : "*"
},
{
"Effect" : "Allow",
"Action" : [
"sns:Publish"
],
"Resource" : "*"
},
{
"Effect" : "Allow",
"Action" : [
"ssm:ListCommands",
"ssm:ListCommandInvocations",
"ssm:AddTagsToResource",
"ssm:DescribeInstanceInformation",
"ssm:GetAutomationExecution",
"ssm:StopAutomationExecution",
"ssm:ListInventoryEntries",
"ssm:SendAutomationSignal",
"ssm:DescribeInstanceAssociationsStatus",
"ssm:DescribeAssociationExecutions",
"ssm:GetCommandInvocation"
],
"Resource" : "*"
},
{
"Effect" : "Allow",
"Action" : "ssm:SendCommand",
"Resource" : [
"arn:aws:ssm:*:*:document/AWS-RunPowerShellScript",
"arn:aws:ssm:*:*:document/AWS-RunShellScript",
"arn:aws:ssm:*:*:document/AWSEC2-RunSysprep",
"arn:aws:s3:::*"
]
},
{
"Effect" : "Allow",
"Action" : [
"ssm:SendCommand"
],
"Resource" : [
"arn:aws:ec2:*:*:instance/*"
],
"Condition" : {
"StringEquals" : {
"ssm:resourceTag/CreatedBy" : [
"EC2 Image Builder"
]
}
}
},
{
"Effect" : "Allow",
"Action" : "ssm:StartAutomationExecution",
"Resource" : "arn:aws:ssm:*:*:automation-definition/ImageBuilder*"
},
{
"Effect" : "Allow",
"Action" : [
"ssm:CreateAssociation",
"ssm:DeleteAssociation"
],
"Resource" : [
"arn:aws:ssm:*:*:document/AWS-GatherSoftwareInventory",
"arn:aws:ssm:*:*:association/*",
"arn:aws:ec2:*:*:instance/*"
]
},
{
"Effect" : "Allow",
"Action" : [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncryptFrom",
"kms:ReEncryptTo",
"kms:GenerateDataKeyWithoutPlaintext"
],
"Resource" : "*",
"Condition" : {
"ForAllValues:StringEquals" : {
"kms:EncryptionContextKeys" : [
"aws:ebs:id"
]
},
"StringLike" : {
"kms:ViaService" : [
"ec2.*.amazonaws.com"
]
}
}
},
{
"Effect" : "Allow",
"Action" : [
"kms:DescribeKey"
],
"Resource" : "*",
"Condition" : {
"StringLike" : {
"kms:ViaService" : [
"ec2.*.amazonaws.com"
]
}
}
},
{
"Effect" : "Allow",
"Action" : "kms:CreateGrant",
"Resource" : "*",
"Condition" : {
"Bool" : {
"kms:GrantIsForAWSResource" : true
},
"StringLike" : {
"kms:ViaService" : [
"ec2.*.amazonaws.com"
]
}
}
},
{
"Effect" : "Allow",
"Action" : "sts:AssumeRole",
"Resource" : "arn:aws:iam::*:role/EC2ImageBuilderDistributionCrossAccountRole"
},
{
"Effect" : "Allow",
"Action" : [
"logs:CreateLogStream",
"logs:CreateLogGroup",
"logs:PutLogEvents"
],
"Resource" : "arn:aws:logs:*:*:log-group:/aws/imagebuilder/*"
},
{
"Effect" : "Allow",
"Action" : [
"ec2:CreateLaunchTemplateVersion",
"ec2:DescribeLaunchTemplates",
"ec2:ModifyLaunchTemplate",
"ec2:DescribeLaunchTemplateVersions"
],
"Resource" : "*"
},
{
"Effect" : "Allow",
"Action" : [
"ec2:ExportImage"
],
"Resource" : "arn:aws:ec2:*::image/*",
"Condition" : {
"StringEquals" : {
"ec2:ResourceTag/CreatedBy" : "EC2 Image Builder"
}
}
},
{
"Effect" : "Allow",
"Action" : [
"ec2:ExportImage"
],
"Resource" : "arn:aws:ec2:*:*:export-image-task/*"
},
{
"Effect" : "Allow",
"Action" : [
"ec2:CancelExportTask"
],
"Resource" : "arn:aws:ec2:*:*:export-image-task/*",
"Condition" : {
"StringEquals" : {
"ec2:ResourceTag/CreatedBy" : "EC2 Image Builder"
}
}
},
{
"Effect" : "Allow",
"Action" : "iam:CreateServiceLinkedRole",
"Resource" : "*",
"Condition" : {
"StringEquals" : {
"iam:AWSServiceName" : [
"ssm.amazonaws.com",
"ec2fastlaunch.amazonaws.com"
]
}
}
},
{
"Effect" : "Allow",
"Action" : [
"ec2:EnableFastLaunch"
],
"Resource" : [
"arn:aws:ec2:*::image/*",
"arn:aws:ec2:*:*:launch-template/*"
],
"Condition" : {
"StringEquals" : {
"ec2:ResourceTag/CreatedBy" : "EC2 Image Builder"
}
}
},
{
"Effect" : "Allow",
"Action" : [
"inspector2:ListCoverage",
"inspector2:ListFindings"
],
"Resource" : "*"
},
{
"Effect" : "Allow",
"Action" : [
"ecr:CreateRepository"
],
"Resource" : "*",
"Condition" : {
"StringEquals" : {
"aws:RequestTag/CreatedBy" : "EC2 Image Builder"
}
}
},
{
"Effect" : "Allow",
"Action" : [
"ecr:TagResource"
],
"Resource" : "arn:aws:ecr:*:*:repository/image-builder-*",
"Condition" : {
"StringEquals" : {
"aws:RequestTag/CreatedBy" : "EC2 Image Builder"
}
}
},
{
"Effect" : "Allow",
"Action" : [
"ecr:BatchDeleteImage"
],
"Resource" : "arn:aws:ecr:*:*:repository/image-builder-*",
"Condition" : {
"StringEquals" : {
"ecr:ResourceTag/CreatedBy" : "EC2 Image Builder"
}
}
},
{
"Effect" : "Allow",
"Action" : [
"events:DeleteRule",
"events:DescribeRule",
"events:PutRule",
"events:PutTargets",
"events:RemoveTargets"
],
"Resource" : [
"arn:aws:events:*:*:rule/ImageBuilder-*"
]
}
]
}進一步了解
