我该如何限制 Elastic Beanstalk 用户或应用程序的 IAM 权限?

上次更新时间:2020 年 5 月 18 日

在创建新的 Elastic Beanstalk 环境时,我想要限制 AWS Elastic Beanstalk 用户或应用程序的 AWS Identity and Access Management (IAM) 权限。

简短描述

您可以通过使用 IAM 策略限制 IAM 用户或角色的权限。该策略可以限制对单个环境或应用程序的访问权。

完成下面其中一个部分中的步骤:

  • 仅限制对单个环境或应用程序的 IAM 访问权
  • 仅限制对 Elastic Beanstalk 服务的 IAM 访问权

注意:关于如何组合 IAM 策略对单个应用程序的访问加以限制的示例,见基于托管策略的示例策略基于资源权限的示例策略

解决方法

仅限制对单个环境或应用程序的 IAM 访问权

创建一个 IAM 策略,以限制对您的 Elastic Beanstalk 环境或应用程序的访问权。

请考虑以下事项:

  • 在 Elastic Beanstalk 中,由于您的应用程序的结构为各个组件(如环境、版本和环境配置)的集合,您无法直接限制对您的应用程序的权限。但是,您可以使用操作、资源和条件键以更精细的级别限制权限。
  • IAM 策略不是保护底层资源的有效方式。例如,您可以使用适当的 IAM 策略限制用户与 Elastic Beanstalk API 的交互方式。但是,您无法阻止具有 Elastic Beanstalk 权限的用户在与 Elastic Beanstalk 无关的其他 AWS 服务中创建资源。
  • Elastic Beanstalk 集成的某些资源不支持资源级权限。有关更多信息,请参阅使用 IAM 的 AWS 服务

以下 IAM 策略示例赋予对两个 Elastic Beanstalk 应用程序—App1App2 的完全访问权限:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "elasticbeanstalk:UpdateApplicationVersion",
                "elasticbeanstalk:CreateApplicationVersion",
                "elasticbeanstalk:DeleteApplicationVersion"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "elasticbeanstalk:InApplication": ["arn:aws:elasticbeanstalk:us-east-2:123456789012:application/My App1", "arn:aws:elasticbeanstalk:us-east-2:123456789012:application/My App2"]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "elasticbeanstalk:DescribeAccountAttributes",
                "elasticbeanstalk:AbortEnvironmentUpdate",
                "elasticbeanstalk:TerminateEnvironment",
                "rds:*",
                "elasticbeanstalk:ValidateConfigurationSettings",
                "elasticbeanstalk:CheckDNSAvailability",
                "autoscaling:*",
                "elasticbeanstalk:RequestEnvironmentInfo",
                "elasticbeanstalk:RebuildEnvironment",
                "elasticbeanstalk:DescribeInstancesHealth",
                "elasticbeanstalk:DescribeEnvironmentHealth",
                "sns:*",
                "elasticbeanstalk:RestartAppServer",
                "s3:*",
                "cloudformation:*",
                "elasticloadbalancing:*",
                "elasticbeanstalk:CreateStorageLocation",
                "elasticbeanstalk:DescribeEnvironmentManagedActions",
                "elasticbeanstalk:SwapEnvironmentCNAMEs",
                "elasticbeanstalk:DescribeConfigurationOptions",
                "elasticbeanstalk:ApplyEnvironmentManagedAction",
                "cloudwatch:*",
                "elasticbeanstalk:CreateEnvironment",
                "elasticbeanstalk:List*",
                "elasticbeanstalk:DeleteEnvironmentConfiguration",
                "elasticbeanstalk:UpdateEnvironment",
                "ec2:*",
                "elasticbeanstalk:RetrieveEnvironmentInfo",
                "elasticbeanstalk:DescribeConfigurationSettings",
                "sqs:*",
                "dynamodb:CreateTable",
                "dynamodb:DescribeTable"
            ],
            "Resource": "*"
        },
        {
           "Effect": "Allow",
           "Action": [
               "iam:*"
           ],
           "Resource": [
               "arn:aws:iam::123456789012:role/aws-elasticbeanstalk-ec2-role",
               "arn:aws:iam::123456789012:role/aws-elasticbeanstalk-service-role",
               "arn:aws:iam::123456789012:instance-profile/aws-elasticbeanstalk-ec2-role"
           ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "elasticbeanstalk:DescribeEvents",
                "elasticbeanstalk:DescribeApplications",
                "elasticbeanstalk:AddTags",
                "elasticbeanstalk:ListPlatformVersions"
            ],
            "Resource": ["arn:aws:elasticbeanstalk:us-east-2:123456789012:application/My App1", "arn:aws:elasticbeanstalk:us-east-2:123456789012:application/My App2"]
        },
        {
            "Effect": "Allow",
            "Action": [
                "elasticbeanstalk:AddTags",
                "elasticbeanstalk:Describe*"
            ],
            "Resource": [
                "arn:aws:elasticbeanstalk:*::platform/*",
                "arn:aws:elasticbeanstalk:*:*:environment/*/*",
                "arn:aws:elasticbeanstalk:*:*:application/*",
                "arn:aws:elasticbeanstalk:*::solutionstack/*",
                "arn:aws:elasticbeanstalk:*:*:applicationversion/*/*",
                "arn:aws:elasticbeanstalk:*:*:configurationtemplate/*/*"
            ],
            "Condition": {
                "StringEquals": {
                    "elasticbeanstalk:InApplication": ["arn:aws:elasticbeanstalk:us-east-2:123456789012:application/My App1", "arn:aws:elasticbeanstalk:us-east-2:123456789012:application/My App2"]
                }
            }
        }
    ]
}

重要提示:若您不使用默认的 Elastic Beanstalk 服务角色和实例配置文件,则更新之前具有您的自定义服务角色和实例配置文件的 IAM 策略。

如需关于限制 Elastic Beanstalk 应用程序访问权限的更多信息,见 Elastic Beanstalk 操作的资源和条件

仅限制对 Elastic Beanstalk 服务的 IAM 访问权

重要提示: 以下步骤仅适用于新的 Elastic Beanstalk 环境或应用程序。

  1. 为您的 Elastic Beanstalk 环境或应用程序创建单独的 AWS 账户
  2. 使用 AWS Organizations 将单独的账户与您的主 AWS 账户连接。

这篇文章对您有帮助吗?

我们可以改进什么?


需要更多帮助?