本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
AWSServiceRoleForImageBuilder
說明:允許 EC2 ImageBuilder 代表您呼叫 AWS 服務。
AWSServiceRoleForImageBuilder是AWS 受管理的策略。
使用此政策
此原則附加至服務連結角色,可讓服務代表您執行動作。您無法將此政策連接至使用者、群組或角色。
政策詳情
-
類型:服務連結角色原則
-
創建時間:二零一九年十一月二十九日, 世界標準時
-
編輯時間:世界標準時間 2023 年 10 月 19 日晚上 9 點 30 分
-
ARN:
arn:aws:iam::aws:policy/aws-service-role/AWSServiceRoleForImageBuilder
政策版本
策略版本:v19(預設值)
原則的預設版本是定義原則權限的版本。當具有策略的使用者或角色發出要求以存取 AWS 資源時,請 AWS 檢查原則的預設版本,以決定是否允許該要求。
政策文件
{ "Version" : "2012-10-17", "Statement" : [ { "Effect" : "Allow", "Action" : [ "ec2:RunInstances" ], "Resource" : [ "arn:aws:ec2:*::image/*", "arn:aws:ec2:*::snapshot/*", "arn:aws:ec2:*:*:subnet/*", "arn:aws:ec2:*:*:network-interface/*", "arn:aws:ec2:*:*:security-group/*", "arn:aws:ec2:*:*:key-pair/*", "arn:aws:ec2:*:*:launch-template/*", "arn:aws:license-manager:*:*:license-configuration:*" ] }, { "Effect" : "Allow", "Action" : [ "ec2:RunInstances" ], "Resource" : [ "arn:aws:ec2:*:*:volume/*", "arn:aws:ec2:*:*:instance/*" ], "Condition" : { "StringEquals" : { "aws:RequestTag/CreatedBy" : [ "EC2 Image Builder", "EC2 Fast Launch" ] } } }, { "Effect" : "Allow", "Action" : "iam:PassRole", "Resource" : "*", "Condition" : { "StringEquals" : { "iam:PassedToService" : [ "ec2.amazonaws.com", "ec2.amazonaws.com.rproxy.goskope.com.cn", "vmie.amazonaws.com" ] } } }, { "Effect" : "Allow", "Action" : [ "ec2:StopInstances", "ec2:StartInstances", "ec2:TerminateInstances" ], "Resource" : "*", "Condition" : { "StringEquals" : { "ec2:ResourceTag/CreatedBy" : "EC2 Image Builder" } } }, { "Effect" : "Allow", "Action" : [ "ec2:CopyImage", "ec2:CreateImage", "ec2:CreateLaunchTemplate", "ec2:DeregisterImage", "ec2:DescribeImages", "ec2:DescribeInstanceAttribute", "ec2:DescribeInstanceStatus", "ec2:DescribeInstances", "ec2:DescribeInstanceTypeOfferings", "ec2:DescribeInstanceTypes", "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:ModifyImageAttribute", "ec2:DescribeImportImageTasks", "ec2:DescribeExportImageTasks", "ec2:DescribeSnapshots", "ec2:DescribeHosts" ], "Resource" : "*" }, { "Effect" : "Allow", "Action" : [ "ec2:ModifySnapshotAttribute" ], "Resource" : "arn:aws:ec2:*::snapshot/*", "Condition" : { "StringEquals" : { "ec2:ResourceTag/CreatedBy" : "EC2 Image Builder" } } }, { "Effect" : "Allow", "Action" : [ "ec2:CreateTags" ], "Resource" : "*", "Condition" : { "StringEquals" : { "ec2:CreateAction" : [ "RunInstances", "CreateImage" ], "aws:RequestTag/CreatedBy" : [ "EC2 Image Builder", "EC2 Fast Launch" ] } } }, { "Effect" : "Allow", "Action" : [ "ec2:CreateTags" ], "Resource" : [ "arn:aws:ec2:*::image/*", "arn:aws:ec2:*:*:export-image-task/*" ] }, { "Effect" : "Allow", "Action" : [ "ec2:CreateTags" ], "Resource" : [ "arn:aws:ec2:*::snapshot/*", "arn:aws:ec2:*:*:launch-template/*" ], "Condition" : { "StringEquals" : { "aws:RequestTag/CreatedBy" : [ "EC2 Image Builder", "EC2 Fast Launch" ] } } }, { "Effect" : "Allow", "Action" : [ "license-manager:UpdateLicenseSpecificationsForResource" ], "Resource" : "*" }, { "Effect" : "Allow", "Action" : [ "sns:Publish" ], "Resource" : "*" }, { "Effect" : "Allow", "Action" : [ "ssm:ListCommands", "ssm:ListCommandInvocations", "ssm:AddTagsToResource", "ssm:DescribeInstanceInformation", "ssm:GetAutomationExecution", "ssm:StopAutomationExecution", "ssm:ListInventoryEntries", "ssm:SendAutomationSignal", "ssm:DescribeInstanceAssociationsStatus", "ssm:DescribeAssociationExecutions", "ssm:GetCommandInvocation" ], "Resource" : "*" }, { "Effect" : "Allow", "Action" : "ssm:SendCommand", "Resource" : [ "arn:aws:ssm:*:*:document/AWS-RunPowerShellScript", "arn:aws:ssm:*:*:document/AWS-RunShellScript", "arn:aws:ssm:*:*:document/AWSEC2-RunSysprep", "arn:aws:s3:::*" ] }, { "Effect" : "Allow", "Action" : [ "ssm:SendCommand" ], "Resource" : [ "arn:aws:ec2:*:*:instance/*" ], "Condition" : { "StringEquals" : { "ssm:resourceTag/CreatedBy" : [ "EC2 Image Builder" ] } } }, { "Effect" : "Allow", "Action" : "ssm:StartAutomationExecution", "Resource" : "arn:aws:ssm:*:*:automation-definition/ImageBuilder*" }, { "Effect" : "Allow", "Action" : [ "ssm:CreateAssociation", "ssm:DeleteAssociation" ], "Resource" : [ "arn:aws:ssm:*:*:document/AWS-GatherSoftwareInventory", "arn:aws:ssm:*:*:association/*", "arn:aws:ec2:*:*:instance/*" ] }, { "Effect" : "Allow", "Action" : [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncryptFrom", "kms:ReEncryptTo", "kms:GenerateDataKeyWithoutPlaintext" ], "Resource" : "*", "Condition" : { "ForAllValues:StringEquals" : { "kms:EncryptionContextKeys" : [ "aws:ebs:id" ] }, "StringLike" : { "kms:ViaService" : [ "ec2.*.amazonaws.com" ] } } }, { "Effect" : "Allow", "Action" : [ "kms:DescribeKey" ], "Resource" : "*", "Condition" : { "StringLike" : { "kms:ViaService" : [ "ec2.*.amazonaws.com" ] } } }, { "Effect" : "Allow", "Action" : "kms:CreateGrant", "Resource" : "*", "Condition" : { "Bool" : { "kms:GrantIsForAWSResource" : true }, "StringLike" : { "kms:ViaService" : [ "ec2.*.amazonaws.com" ] } } }, { "Effect" : "Allow", "Action" : "sts:AssumeRole", "Resource" : "arn:aws:iam::*:role/EC2ImageBuilderDistributionCrossAccountRole" }, { "Effect" : "Allow", "Action" : [ "logs:CreateLogStream", "logs:CreateLogGroup", "logs:PutLogEvents" ], "Resource" : "arn:aws:logs:*:*:log-group:/aws/imagebuilder/*" }, { "Effect" : "Allow", "Action" : [ "ec2:CreateLaunchTemplateVersion", "ec2:DescribeLaunchTemplates", "ec2:ModifyLaunchTemplate", "ec2:DescribeLaunchTemplateVersions" ], "Resource" : "*" }, { "Effect" : "Allow", "Action" : [ "ec2:ExportImage" ], "Resource" : "arn:aws:ec2:*::image/*", "Condition" : { "StringEquals" : { "ec2:ResourceTag/CreatedBy" : "EC2 Image Builder" } } }, { "Effect" : "Allow", "Action" : [ "ec2:ExportImage" ], "Resource" : "arn:aws:ec2:*:*:export-image-task/*" }, { "Effect" : "Allow", "Action" : [ "ec2:CancelExportTask" ], "Resource" : "arn:aws:ec2:*:*:export-image-task/*", "Condition" : { "StringEquals" : { "ec2:ResourceTag/CreatedBy" : "EC2 Image Builder" } } }, { "Effect" : "Allow", "Action" : "iam:CreateServiceLinkedRole", "Resource" : "*", "Condition" : { "StringEquals" : { "iam:AWSServiceName" : [ "ssm.amazonaws.com", "ec2fastlaunch.amazonaws.com" ] } } }, { "Effect" : "Allow", "Action" : [ "ec2:EnableFastLaunch" ], "Resource" : [ "arn:aws:ec2:*::image/*", "arn:aws:ec2:*:*:launch-template/*" ], "Condition" : { "StringEquals" : { "ec2:ResourceTag/CreatedBy" : "EC2 Image Builder" } } }, { "Effect" : "Allow", "Action" : [ "inspector2:ListCoverage", "inspector2:ListFindings" ], "Resource" : "*" }, { "Effect" : "Allow", "Action" : [ "ecr:CreateRepository" ], "Resource" : "*", "Condition" : { "StringEquals" : { "aws:RequestTag/CreatedBy" : "EC2 Image Builder" } } }, { "Effect" : "Allow", "Action" : [ "ecr:TagResource" ], "Resource" : "arn:aws:ecr:*:*:repository/image-builder-*", "Condition" : { "StringEquals" : { "aws:RequestTag/CreatedBy" : "EC2 Image Builder" } } }, { "Effect" : "Allow", "Action" : [ "ecr:BatchDeleteImage" ], "Resource" : "arn:aws:ecr:*:*:repository/image-builder-*", "Condition" : { "StringEquals" : { "ecr:ResourceTag/CreatedBy" : "EC2 Image Builder" } } }, { "Effect" : "Allow", "Action" : [ "events:DeleteRule", "events:DescribeRule", "events:PutRule", "events:PutTargets", "events:RemoveTargets" ], "Resource" : [ "arn:aws:events:*:*:rule/ImageBuilder-*" ] } ] }
進一步了解
