实例注册策略 - AWS OpsWorks
AWSOpsWorksRegisterCLI_EC2 策略AWSOpsWorksRegisterCLI_OnPremises 策略(已淘汰)AWSOpsWorksRegisterCLI 策略

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

实例注册策略

重要

该 AWS OpsWorks Stacks 服务于 2024 年 5 月 26 日终止,新客户和现有客户均已禁用。我们强烈建议客户尽快将其工作负载迁移到其他解决方案。如果您对迁移有疑问,请通过 re AWS : Post 或通过 Pre mium Su AWS pp ort 与 AWS Support 团队联系。

AWSOpsWorksRegisterCLI_EC2AWSOpsWorksRegisterCLI_OnPremises 策略分别为注册 EC2 和本地实例提供了正确的权限。您将 AWSOpsWorksRegisterCLI_EC2 添加到您的 IAM 用户以注册 EC2 实例,但将 AWSOpsWorksRegisterCLI_OnPremises 添加到您的用户以注册本地实例。要使用这些策略,您必须运行至少版本 1.16.180 AWS CLI 或更高版本。

AWSOpsWorksRegisterCLI_EC2 策略

AWSOpsWorksRegisterCLI_EC2 添加到您的用户以注册 EC2 实例。如果您计划仅注册 EC2 实例,则应使用此配置文件。当您使用此策略时,EC2 实例的实例配置文件提供权限。

{
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "opsworks:AssignInstance",
            "opsworks:CreateLayer",
            "opsworks:DeregisterInstance",
            "opsworks:DescribeInstances",
            "opsworks:DescribeStackProvisioningParameters",
            "opsworks:DescribeStacks",
            "opsworks:UnassignInstance"
          ],
          "Resource": [
            "*"
          ]
        },
        {
          "Effect": "Allow",
          "Action": [
            "ec2:DescribeInstances"
          ],
          "Resource": [
            "*"
          ]
        }
      ]
    }

AWSOpsWorksRegisterCLI_OnPremises 策略

AWSOpsWorksRegisterCLI_OnPremises 添加到您的用户以注册本地实例。此策略包括 IAM 权限,例如 AttachUserPolicy,但这些权限起作用的资源是受限的。

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "opsworks:AssignInstance",
            "opsworks:CreateLayer",
            "opsworks:DeregisterInstance",
            "opsworks:DescribeInstances",
            "opsworks:DescribeStackProvisioningParameters",
            "opsworks:DescribeStacks",
            "opsworks:UnassignInstance"
          ],
          "Resource": [
            "*"
          ]
        },
        {
          "Effect": "Allow",
          "Action": [
            "ec2:DescribeInstances"
          ],
          "Resource": [
            "*"
          ]
        },
        {
          "Effect": "Allow",
          "Action": [
            "iam:CreateGroup",
            "iam:AddUserToGroup"
          ],
          "Resource": [
            "arn:aws:iam::*:group/AWS/OpsWorks/OpsWorks-*"
          ]
        },
        {
          "Effect": "Allow",
          "Action": [
            "iam:CreateUser",
            "iam:CreateAccessKey"
          ],
          "Resource": [
            "arn:aws:iam::*:user/AWS/OpsWorks/OpsWorks-*"
          ]
        },
        {
          "Effect": "Allow",
          "Action": [
            "iam:AttachUserPolicy"
          ],
          "Resource": [
            "arn:aws:iam::*:user/AWS/OpsWorks/OpsWorks-*"
          ],
          "Condition": {
            "ArnEquals": 
              {
                "iam:PolicyARN": "arn:aws:iam::aws:policy/AWSOpsWorksInstanceRegistration"
              }
            }
        }
      ]
    }

(已淘汰)AWSOpsWorksRegisterCLI 策略

重要

AWSOpsWorksRegisterCLI 策略已被淘汰,不能用于注册新实例。它仅适用于已注册的实例的向后兼容性。AWSOpsWorksRegisterCLI 策略包含许多 IAM 权限,包括 CreateUserPutUserPolicyAddUserToGroup。由于这些是管理员级权限,因此您应该仅将 AWSOpsWorksRegisterCLI 策略分配给受信任的管理用户。