本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
Amazon Inspector 无代理扫描使用名为 AWSServiceRoleForAmazonInspector2Agentless 的服务相关角色。这个 SLR 允许 Amazon Inspector 在您的账户中创建 Amazon EBS 卷快照,然后访问该快照中的数据。该服务相关角色信任 agentless.inspector2.amazonaws.com 服务担任该角色。
重要
此服务相关角色中的语句会阻止 Amazon Inspector 对您使用该标签从扫描中排除的任何 EC2 实例执行无代理扫描。InspectorEc2Exclusion此外,当用于加密卷的 KMS 密钥带有 InspectorEc2Exclusion 标签时,这些语句会阻止 Amazon Inspector 访问相应卷中的加密数据。有关更多信息,请参阅 从 Amazon Inspector 扫描中排除实例。
该角色的权限策略名为 AmazonInspector2AgentlessServiceRolePolicy,允许 Amazon Inspector 执行以下任务:
-
使用亚马逊弹性计算云 (Amazon EC2) 操作来检索有关您的 EC2 实例、卷和快照的信息。
使用 Amazon EC2 标记操作使用标签密钥为扫描快照
InspectorScan添加标签。使用 Amazon EC2 快照操作创建快照,使用
InspectorScan标签密钥对其进行标记,然后删除已使用InspectorScan标签密钥标记的 Amazon EBS 卷的快照。
-
使用 Amazon EBS 操作,从带有
InspectorScan标签键的快照中检索信息。 使用选择 AWS KMS 解密操作来解密使用客户托管密钥加密的 AWS KMS 快照。当用于加密快照的 KMS 密钥带有
InspectorEc2Exclusion标签时,Amazon Inspector 不会解密相应快照。
该角色使用以下权限策略进行配置:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "InstanceIdentification",
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeVolumes",
"ec2:DescribeSnapshots"
],
"Resource": "*"
},
{
"Sid": "GetSnapshotData",
"Effect": "Allow",
"Action": [
"ebs:ListSnapshotBlocks",
"ebs:GetSnapshotBlock"
],
"Resource": "arn:aws:ec2:*:*:snapshot/*",
"Condition": {
"StringLike": {
"aws:ResourceTag/InspectorScan": "*"
}
}
},
{
"Sid": "CreateSnapshotsAnyInstanceOrVolume",
"Effect": "Allow",
"Action": "ec2:CreateSnapshots",
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*"
]
},
{
"Sid": "DenyCreateSnapshotsOnExcludedInstances",
"Effect": "Deny",
"Action": "ec2:CreateSnapshots",
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/InspectorEc2Exclusion": "true"
}
}
},
{
"Sid": "CreateSnapshotsOnAnySnapshotOnlyWithTag",
"Effect": "Allow",
"Action": "ec2:CreateSnapshots",
"Resource": "arn:aws:ec2:*:*:snapshot/*",
"Condition": {
"Null": {
"aws:TagKeys": "false"
},
"ForAllValues:StringEquals": {
"aws:TagKeys": "InspectorScan"
}
}
},
{
"Sid": "CreateOnlyInspectorScanTagOnlyUsingCreateSnapshots",
"Effect": "Allow",
"Action": "ec2:CreateTags",
"Resource": "arn:aws:ec2:*:*:snapshot/*",
"Condition": {
"StringLike": {
"ec2:CreateAction": "CreateSnapshots"
},
"Null": {
"aws:TagKeys": "false"
},
"ForAllValues:StringEquals": {
"aws:TagKeys": "InspectorScan"
}
}
},
{
"Sid": "DeleteOnlySnapshotsTaggedForScanning",
"Effect": "Allow",
"Action": "ec2:DeleteSnapshot",
"Resource": "arn:aws:ec2:*:*:snapshot/*",
"Condition": {
"StringLike": {
"ec2:ResourceTag/InspectorScan": "*"
}
}
},
{
"Sid": "DenyKmsDecryptForExcludedKeys",
"Effect": "Deny",
"Action": "kms:Decrypt",
"Resource": "arn:aws:kms:*:*:key/*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/InspectorEc2Exclusion": "true"
}
}
},
{
"Sid": "DecryptSnapshotBlocksVolContext",
"Effect": "Allow",
"Action": "kms:Decrypt",
"Resource": "arn:aws:kms:*:*:key/*",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
},
"StringLike": {
"kms:ViaService": "ec2.*.amazonaws.com",
"kms:EncryptionContext:aws:ebs:id": "vol-*"
}
}
},
{
"Sid": "DecryptSnapshotBlocksSnapContext",
"Effect": "Allow",
"Action": "kms:Decrypt",
"Resource": "arn:aws:kms:*:*:key/*",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
},
"StringLike": {
"kms:ViaService": "ec2.*.amazonaws.com",
"kms:EncryptionContext:aws:ebs:id": "snap-*"
}
}
},
{
"Sid": "DescribeKeysForEbsOperations",
"Effect": "Allow",
"Action": "kms:DescribeKey",
"Resource": "arn:aws:kms:*:*:key/*",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
},
"StringLike": {
"kms:ViaService": "ec2.*.amazonaws.com"
}
}
},
{
"Sid": "ListKeyResourceTags",
"Effect": "Allow",
"Action": "kms:ListResourceTags",
"Resource": "arn:aws:kms:*:*:key/*"
}
]
}
