本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
管理 Elastic Beanstalk 用户策略
AWS Elastic Beanstalk 提供两种托管式策略,使您可以将完全访问权限或只读访问权限授予 Elastic Beanstalk 管理的所有资源。您可以将策略附加到 AWS Identity and Access Management(IAM)用户或组,或您的用户代入的角色。
重要
Elastic Beanstalk 托管式策略不提供精细权限—它们授予使用 Elastic Beanstalk 应用程序可能需要的所有权限。我们的托管式策略也不涵盖对您可能添加到解决方案中且不由 Elastic Beanstalk 管理的自定义资源的权限。要实施更精细的权限、所需的最低权限或自定义资源权限,请使用自定义策略。
托管用户策略
-
AdministratorAccess-AWSElasticBeanstalk – 授予用户创建、修改和删除 Elastic Beanstalk 应用程序、应用程序版本、配置设置、环境及其基础资源的所有管理权限。要查看托管策略内容,请参阅《AWS 托管策略参考指南》中的 AdministratorAccess-AWSElasticBeanstalk 页面。
-
AWSElasticBeanstalkReadOnly – 允许用户查看应用程序和环境,但是不允许对它们执行任何修改操作。它提供对所有 Elastic Beanstalk 资源以及 Elastic Beanstalk 控制台检索的其他 AWS 资源的只读访问权限。请注意,只读访问不会启用下载 Elastic Beanstalk 日志等操作,以便您阅读它们。这是因为日志存储在 Amazon S3 存储桶中,Elastic Beanstalk 需要其写入权限。有关如何启用对 Elastic Beanstalk 日志的访问,请参阅本主题结尾的示例。要查看托管策略内容,请参阅《AWS 托管策略参考指南》中的 AWSElasticBeanstalkReadOnly 页面。
注意
以前,Elastic Beanstalk 支持另外两个托管用户策略,AWSElasticBeanstalkFullAccess 和 AWSElasticBeanstalkReadOnlyAccess。我们计划停用以前的这些策略。您可能仍然能够在 IAM 控制台中查看和使用它们。但是,我们建议您切换到使用新的托管用户策略,然后添加自定义策略以授予对自定义资源的权限(如果有的话)。
与其他服务集成的策略
如果您更喜欢使用其他服务,则会提供更精细的策略,以允许您将环境与其他服务集成。
此策略允许环境管理 Amazon CloudWatch Logs 日志组。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowCWL", "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:DeleteLogGroup", "logs:PutRetentionPolicy" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/elasticbeanstalk/*" } ] }
此策略允许环境集成 Amazon RDS 实例。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowRDS", "Effect": "Allow", "Action": [ "rds:CreateDBSecurityGroup", "rds:DeleteDBSecurityGroup", "rds:AuthorizeDBSecurityGroupIngress", "rds:CreateDBInstance", "rds:ModifyDBInstance", "rds:DeleteDBInstance" ], "Resource": [ "arn:aws:rds:*:*:secgrp:awseb-e-*", "arn:aws:rds:*:*:db:*" ] } ] }
此策略允许工作线程环境层创建 Amazon DynamoDB 表和 Amazon SQS 队列。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowSQS", "Effect": "Allow", "Action": [ "sqs:TagQueue", "sqs:DeleteQueue", "sqs:GetQueueAttributes", "sqs:CreateQueue" ], "Resource": "arn:aws:sqs:*:*:awseb-e-*" }, { "Sid": "AllowDDB", "Effect": "Allow", "Action": [ "dynamodb:CreateTable", "dynamodb:TagResource", "dynamodb:DescribeTable", "dynamodb:DeleteTable" ], "Resource": "arn:aws:dynamodb:*:*:table/awseb-e-*" } ] }
此策略允许多容器 Docker 环境管理 Amazon ECS 集群。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowECS", "Effect": "Allow", "Action": [ "ecs:CreateCluster", "ecs:DeleteCluster", "ecs:DeRegisterTaskDefinition", "ecs:RegisterTaskDefinition" ], "Resource": [ "*" ] }, { "Sid": "AllowECSTagResource", "Effect": "Allow", "Action": [ "ecs:TagResource" ], "Resource": "*", "Condition": { "StringEquals": { "ecs:CreateAction": [ "CreateCluster", "RegisterTaskDefinition" ] } } } ] }
此策略允许 Web 服务环境的核心操作。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "TerminateInstances", "Effect": "Allow", "Action": [ "ec2:TerminateInstances" ], "Resource": "arn:aws:ec2:*:*:instance/*", "Condition": { "StringLike": { "ec2:ResourceTag/aws:cloudformation:stack-id": "arn:aws:cloudformation:*:*:stack/awseb-e-*" } } }, { "Sid": "EC2", "Effect": "Allow", "Action": [ "ec2:ReleaseAddress", "ec2:AllocateAddress", "ec2:DisassociateAddress", "ec2:AssociateAddress", "ec2:CreateTags", "ec2:DeleteTags", "ec2:CreateSecurityGroup", "ec2:DeleteSecurityGroup", "ec2:AuthorizeSecurityGroup*", "ec2:RevokeSecurityGroup*", "ec2:CreateLaunchTemplate*", "ec2:DeleteLaunchTemplate*" ], "Resource": "*" }, { "Sid": "LTRunInstances", "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": "*", "Condition": { "ArnLike": { "ec2:LaunchTemplate": "arn:aws:ec2:*:*:launch-template/*" } } }, { "Sid": "ASG", "Effect": "Allow", "Action": [ "autoscaling:AttachInstances", "autoscaling:*LoadBalancer*", "autoscaling:*AutoScalingGroup", "autoscaling:*LaunchConfiguration", "autoscaling:DeleteScheduledAction", "autoscaling:DetachInstances", "autoscaling:PutNotificationConfiguration", "autoscaling:PutScalingPolicy", "autoscaling:PutScheduledUpdateGroupAction", "autoscaling:ResumeProcesses", "autoscaling:SuspendProcesses", "autoscaling:*Tags" ], "Resource": [ "arn:aws:autoscaling:*:*:launchConfiguration:*:launchConfigurationName/awseb-e-*", "arn:aws:autoscaling:*:*:autoScalingGroup:*:autoScalingGroupName/awseb-e-*" ] }, { "Sid": "ASGPolicy", "Effect": "Allow", "Action": [ "autoscaling:DeletePolicy" ], "Resource": [ "*" ] }, { "Sid": "EBSLR", "Effect": "Allow", "Action": [ "iam:CreateServiceLinkedRole" ], "Resource": [ "arn:aws:iam::*:role/aws-service-role/elasticbeanstalk.amazonaws.com/AWSServiceRoleForElasticBeanstalk*" ], "Condition": { "StringLike": { "iam:AWSServiceName": "elasticbeanstalk.amazonaws.com" } } }, { "Sid": "S3Obj", "Effect": "Allow", "Action": [ "s3:Delete*", "s3:Get*", "s3:Put*" ], "Resource": [ "arn:aws:s3:::elasticbeanstalk-*/*", "arn:aws:s3:::elasticbeanstalk-env-resources-*/*" ] }, { "Sid": "S3Bucket", "Effect": "Allow", "Action": [ "s3:GetBucket*", "s3:ListBucket", "s3:PutBucketPolicy" ], "Resource": "arn:aws:s3:::elasticbeanstalk-*" }, { "Sid": "CFN", "Effect": "Allow", "Action": [ "cloudformation:CreateStack", "cloudformation:DeleteStack", "cloudformation:GetTemplate", "cloudformation:ListStackResources", "cloudformation:UpdateStack", "cloudformation:ContinueUpdateRollback", "cloudformation:CancelUpdateStack" ], "Resource": "arn:aws:cloudformation:*:*:stack/awseb-e-*" }, { "Sid": "CloudWatch", "Effect": "Allow", "Action": [ "cloudwatch:PutMetricAlarm", "cloudwatch:DeleteAlarms" ], "Resource": "arn:aws:cloudwatch:*:*:alarm:awseb-*" }, { "Sid": "ELB", "Effect": "Allow", "Action": [ "elasticloadbalancing:Create*", "elasticloadbalancing:Delete*", "elasticloadbalancing:Modify*", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:DeRegisterTargets", "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:*Tags", "elasticloadbalancing:ConfigureHealthCheck", "elasticloadbalancing:SetRulePriorities", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" ], "Resource": [ "arn:aws:elasticloadbalancing:*:*:targetgroup/awseb-*", "arn:aws:elasticloadbalancing:*:*:loadbalancer/awseb-*", "arn:aws:elasticloadbalancing:*:*:loadbalancer/app/awseb-*/*", "arn:aws:elasticloadbalancing:*:*:loadbalancer/net/awseb-*/*", "arn:aws:elasticloadbalancing:*:*:listener/awseb-*", "arn:aws:elasticloadbalancing:*:*:listener/app/awseb-*", "arn:aws:elasticloadbalancing:*:*:listener/net/awseb-*", "arn:aws:elasticloadbalancing:*:*:listener-rule/app/awseb-*/*/*/*" ] }, { "Sid": "ListAPIs", "Effect": "Allow", "Action": [ "autoscaling:Describe*", "cloudformation:Describe*", "logs:Describe*", "ec2:Describe*", "ecs:Describe*", "ecs:List*", "elasticloadbalancing:Describe*", "rds:Describe*", "sns:List*", "iam:List*", "acm:Describe*", "acm:List*" ], "Resource": "*" }, { "Sid": "AllowPassRole", "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::*:role/aws-elasticbeanstalk-*", "Condition": { "StringEquals": { "iam:PassedToService": [ "elasticbeanstalk.amazonaws.com", "ec2.amazonaws.com", "autoscaling.amazonaws.com", "elasticloadbalancing.amazonaws.com", "ecs.amazonaws.com", "cloudformation.amazonaws.com" ] } } } ] }
此策略允许环境启用 Amazon SNS 主题集成。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowBeanstalkManageSNS", "Effect": "Allow", "Action": [ "sns:CreateTopic", "sns:SetTopicAttributes", "sns:DeleteTopic" ], "Resource": [ "arn:aws:sns:*:*:ElasticBeanstalkNotifications-*" ] }, { "Sid": "AllowSNSPublish", "Effect": "Allow", "Action": [ "sns:GetTopicAttributes", "sns:Subscribe", "sns:Unsubscribe", "sns:Publish" ], "Resource": "*" } ] }
使用托管式策略控制访问
您可以使用托管式策略授予对 Elastic Beanstalk 的完全访问权限或只读访问权限。Elastic Beanstalk 在需要额外权限来访问新功能时自动更新这些策略。
将托管式策略应用于 IAM 用户或组
-
在 IAM 控制台中打开 Policies(策略)页
。 -
在搜索框中键入
AWSElasticBeanstalk以筛选策略。 -
在策略列表中,选择 AWSElasticBeanstalkReadOnly 或 AdministratorAccess-AWSElasticBeanstalk 旁的复选框。
-
选择 Policy actions(策略操作),然后选择 Attach(附加)。
-
选择一个或多个要将策略附加到的用户和组。您可以使用 Filter(筛选条件)菜单和搜索框来筛选委托人实体列表。
-
选择 Attach policy(附上策略)。
创建自定义用户策略
您可以创建自己的 IAM policy,以允许或拒绝针对特定 Elastic Beanstalk 资源执行特定的 Elastic Beanstalk API 操作,并控制对不由 Elastic Beanstalk 管理的自定义资源的访问权限。有关将策略附加到用户或组的详细信息,请参阅《IAM 用户指南》中的使用策略。有关创建自定义策略的详细信息,请参阅《IAM 用户指南》中的创建 IAM 策略。
注意
虽然您可以限制用户与 Elastic Beanstalk API 交互的方式,但当前没有有效的方式来阻止有权创建必需基础资源的用户在 Amazon EC2 和其他服务中创建其他资源。
将这些策略视为分发 Elastic Beanstalk 责任的有效方式,而不是视为保护所有基础资源的方式。
2019 年 11 月,Elastic Beanstalk 发布了对 Amazon EC2 启动模板的支持。这是一种新的资源类型,可供环境 Auto Scaling 组用于启动 Amazon EC2 实例,并且该资源类型需要新的权限。如果您的用户策略缺乏所需权限,环境仍可以使用传统资源启动配置。因此大多数客户都不会受到影响。但是,如果您尝试使用需要 Amazon EC2 启动模板的新功能,并且您具有自定义策略,您的环境创建或更新可能会失败。在这种情况下,请确保您的自定义策略具有以下权限。
Amazon EC2 启动模板所需的权限
EC2:CreateLaunchTemplateEC2:CreateLaunchTemplateVersionsEC2:DeleteLaunchTemplateEC2:DeleteLaunchTemplateVersionsEC2:DescribeLaunchTemplateEC2:DescribeLaunchTemplateVersions
IAM policy 包含策略语句,这些语句描述了您要授予的权限。为 Elastic Beanstalk 创建策略语句时,您需要了解如何使用策略语句的以下四个部分:
-
Effect(效果)指定是允许还是拒绝该语句中的操作。
-
Action(操作)指定您要控制的 API 操作。例如,使用
elasticbeanstalk:CreateEnvironment指定CreateEnvironment操作。某些操作(如创建环境)需要额外的权限才能执行。有关更多信息,请参阅Elastic Beanstalk 操作的资源和条件。注意
要使用
UpdateTagsForResourceAPI 操作,请指定以下两个虚拟操作之一(或两者),而不是 API 操作名称:elasticbeanstalk:AddTags控制调用
UpdateTagsForResource和传递要在TagsToAdd参数中添加的标签列表的权限。elasticbeanstalk:RemoveTags控制调用
UpdateTagsForResource和传递要在TagsToRemove参数中删除的标签键列表的权限。
-
Resource(资源)指定您要控制访问权限的资源。要指定 Elastic Beanstalk 资源,请列出各个资源的 Amazon Resource Name(ARN)。
-
(可选)条件指定对语句中授予的权限的限制。有关更多信息,请参阅Elastic Beanstalk 操作的资源和条件。
以下部分说明了几种可能需要考虑自定义用户策略的情况。
启用有限的 Elastic Beanstalk 环境创建
以下示例中的策略可让用户调用 CreateEnvironment 操作,从而使用指定应用程序和应用程序版本创建名称以 Test 开头的环境。
{ "Version": "2012-10-17", "Statement": [ { "Sid":"CreateEnvironmentPerm", "Action": [ "elasticbeanstalk:CreateEnvironment" ], "Effect": "Allow", "Resource": [ "arn:aws:elasticbeanstalk:us-east-2:123456789012:environment/My First Elastic Beanstalk Application/Test*" ], "Condition": { "StringEquals": { "elasticbeanstalk:InApplication": ["arn:aws:elasticbeanstalk:us-east-2:123456789012:application/My First Elastic Beanstalk Application"], "elasticbeanstalk:FromApplicationVersion": ["arn:aws:elasticbeanstalk:us-east-2:123456789012:applicationversion/My First Elastic Beanstalk Application/First Release"] } } }, { "Sid":"AllNonResourceCalls", "Action":[ "elasticbeanstalk:CheckDNSAvailability", "elasticbeanstalk:CreateStorageLocation" ], "Effect":"Allow", "Resource":[ "*" ] } ] }
以上策略显示如何授予对 Elastic Beanstalk 操作的有限访问权限。为了实际启动环境,用户还必须具有创建支持环境的AWS资源的权限。例如,以下策略授予对 Web 服务器环境的默认资源集的访问权限:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:*", "ecs:*", "elasticloadbalancing:*", "autoscaling:*", "cloudwatch:*", "s3:*", "sns:*", "cloudformation:*", "sqs:*" ], "Resource": "*" } ] }
启用对存储在 Amazon S3 中的 Elastic Beanstalk 日志的访问
以下示例中的策略可让用户提取 Elastic Beanstalk 日志、在 Amazon S3 中暂存日志和检索日志。
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:DeleteObject", "s3:GetObjectAcl", "s3:PutObjectAcl" ], "Effect": "Allow", "Resource": "arn:aws:s3:::elasticbeanstalk-*" } ] }
注意
要将这些权限限制为仅日志路径,请使用以下资源格式。
"arn:aws:s3:::elasticbeanstalk-us-east-2-123456789012/resources/environments/logs/*"
启用特定 Elastic Beanstalk 应用程序的管理
以下示例中的策略可让用户管理一个特定的 Elastic Beanstalk 应用程序中的环境和其他资源。此策略拒绝 Elastic Beanstalk 对其他应用程序的资源执行操作,并拒绝创建和删除 Elastic Beanstalk 应用程序。
注意
该策略不拒绝通过其他服务来访问任何资源。它展示的是在各个用户之间分发 Elastic Beanstalk 应用程序的管理责任的有效方式,而不是保护基础资源的方式。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "elasticbeanstalk:CreateApplication", "elasticbeanstalk:DeleteApplication" ], "Resource": [ "*" ] }, { "Effect": "Deny", "Action": [ "elasticbeanstalk:CreateApplicationVersion", "elasticbeanstalk:CreateConfigurationTemplate", "elasticbeanstalk:CreateEnvironment", "elasticbeanstalk:DeleteApplicationVersion", "elasticbeanstalk:DeleteConfigurationTemplate", "elasticbeanstalk:DeleteEnvironmentConfiguration", "elasticbeanstalk:DescribeApplicationVersions", "elasticbeanstalk:DescribeConfigurationOptions", "elasticbeanstalk:DescribeConfigurationSettings", "elasticbeanstalk:DescribeEnvironmentResources", "elasticbeanstalk:DescribeEnvironments", "elasticbeanstalk:DescribeEvents", "elasticbeanstalk:DeleteEnvironmentConfiguration", "elasticbeanstalk:RebuildEnvironment", "elasticbeanstalk:RequestEnvironmentInfo", "elasticbeanstalk:RestartAppServer", "elasticbeanstalk:RetrieveEnvironmentInfo", "elasticbeanstalk:SwapEnvironmentCNAMEs", "elasticbeanstalk:TerminateEnvironment", "elasticbeanstalk:UpdateApplicationVersion", "elasticbeanstalk:UpdateConfigurationTemplate", "elasticbeanstalk:UpdateEnvironment", "elasticbeanstalk:RetrieveEnvironmentInfo", "elasticbeanstalk:ValidateConfigurationSettings" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "elasticbeanstalk:InApplication": [ "arn:aws:elasticbeanstalk:us-east-2:123456789012:application/myapplication" ] } } } ] }
