環境を構築する度にポリシーを調べて設定したり作成したりしているのでよく使うものを覚書としてまとめておく。
特定AWSサービスロールに紐づけて各各サービスでIAMロールにて設定する。
IAMユーザー
-
MFA強制
Webコンソール利用可能なIAMユーザーにMFAを強制するポリシー。
MFAを設定しないと最低限の権限しかない。
パスワードは変更可能。 - JSON
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowViewAccountInfo",
"Effect": "Allow",
"Action": [
"iam:GetAccountPasswordPolicy",
"iam:GetAccountSummary",
"iam:ListVirtualMFADevices"
],
"Resource": "*"
},
{
"Sid": "AllowManageOwnPasswords",
"Effect": "Allow",
"Action": [
"iam:ChangePassword",
"iam:GetUser"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnAccessKeys",
"Effect": "Allow",
"Action": [
"iam:CreateAccessKey",
"iam:DeleteAccessKey",
"iam:ListAccessKeys",
"iam:UpdateAccessKey"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnSigningCertificates",
"Effect": "Allow",
"Action": [
"iam:DeleteSigningCertificate",
"iam:ListSigningCertificates",
"iam:UpdateSigningCertificate",
"iam:UploadSigningCertificate"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnSSHPublicKeys",
"Effect": "Allow",
"Action": [
"iam:DeleteSSHPublicKey",
"iam:GetSSHPublicKey",
"iam:ListSSHPublicKeys",
"iam:UpdateSSHPublicKey",
"iam:UploadSSHPublicKey"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnGitCredentials",
"Effect": "Allow",
"Action": [
"iam:CreateServiceSpecificCredential",
"iam:DeleteServiceSpecificCredential",
"iam:ListServiceSpecificCredentials",
"iam:ResetServiceSpecificCredential",
"iam:UpdateServiceSpecificCredential"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnVirtualMFADevice",
"Effect": "Allow",
"Action": [
"iam:CreateVirtualMFADevice",
"iam:DeleteVirtualMFADevice"
],
"Resource": "arn:aws:iam::*:mfa/${aws:username}"
},
{
"Sid": "AllowManageOwnUserMFA",
"Effect": "Allow",
"Action": [
"iam:DeactivateMFADevice",
"iam:EnableMFADevice",
"iam:ListMFADevices",
"iam:ResyncMFADevice"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "DenyAllExceptListedIfNoMFA",
"Effect": "Deny",
"NotAction": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:ListMFADevices",
"iam:ListUsers",
"iam:ListVirtualMFADevices",
"iam:ResyncMFADevice",
"iam:ChangePassword"
],
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
]
}
S3
-
S3全バケットフルアクセス
とりあえず全部許可したい場合 - 既存ポリシー: AmazonS3FullAccess
- JSON
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
}
]
}
-
S3全バケット読込許可
とりあえず全部読込可としたい場合 - 既存ポリシー: AmazonS3ReadOnlyAccess
- JSON
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": "*"
}
]
}
-
S3特定バケットフルアクセス
作成したバケットに対し、フルアクセスさせたい場合。 - JSON
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::[特定バケット名]",
"arn:aws:s3:::[特定バケット名]/*"
]
}
]
}
SessionManager
-
セッションマネージャで接続するEC2のIAMロールに必要なポリシー
EC2に対し、鍵とポート開放なしにSSHログインする時に使う。
こことかここにやり方が書いてあるけど、そもそもこのポリシーが割り当たってないとできない。 - 既存ポリシー: AmazonSSMManagedInstanceCore
- JSON
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:DescribeAssociation",
"ssm:GetDeployablePatchSnapshotForInstance",
"ssm:GetDocument",
"ssm:DescribeDocument",
"ssm:GetManifest",
"ssm:GetParameter",
"ssm:GetParameters",
"ssm:ListAssociations",
"ssm:ListInstanceAssociations",
"ssm:PutInventory",
"ssm:PutComplianceItems",
"ssm:PutConfigurePackageResult",
"ssm:UpdateAssociationStatus",
"ssm:UpdateInstanceAssociationStatus",
"ssm:UpdateInstanceInformation"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ssmmessages:CreateControlChannel",
"ssmmessages:CreateDataChannel",
"ssmmessages:OpenControlChannel",
"ssmmessages:OpenDataChannel"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2messages:AcknowledgeMessage",
"ec2messages:DeleteMessage",
"ec2messages:FailMessage",
"ec2messages:GetEndpoint",
"ec2messages:GetMessages",
"ec2messages:SendReply"
],
"Resource": "*"
}
]
}
-
AWS CLIからセッションマネージャで接続するユーザーに必要なポリシー
EC2に対し、クライアントのコンソールからセッションマネージャでSSH接続する際、IAMユーザーに設定する。
EC2はPublicIP、鍵の設置は必須。とりあえずEC2の指定はない設定。 - JSON
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:describeInstances",
"ssm:DescribeInstanceProperties",
"ssm:DescribeSessions",
"ssm:GetConnectionStatus",
"ssm:StartSession",
"ssm:TerminateSession"
],
"Resource": "*"
}
]
}
ECS
-
ECS用EC2に必要
ECS用のEC2を作成する時に必須のポリシー。ないとクラスターのECSインスタンスに認識されない。
あと設定ファイル(/etc/ecs/ecs.config)と設定値ECS_CLUSTERもないと認識されない。参照 - 既存ポリシー: AmazonEC2ContainerServiceforEC2Role
- JSON
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeTags",
"ecs:CreateCluster",
"ecs:DeregisterContainerInstance",
"ecs:DiscoverPollEndpoint",
"ecs:Poll",
"ecs:RegisterContainerInstance",
"ecs:StartTelemetrySession",
"ecs:UpdateContainerInstancesState",
"ecs:Submit*",
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "*"
}
]
}
-
ECSデプロイに必要なポリシー
CI/CDツールなどからデプロイする際に必要なポリシー。
これと既存ポリシーAmazonEC2ContainerRegistryFullAccessが必要(ECRを限定しない場合) - JSON
{
"Statement": [
{
"Action": [
"ecs:RegisterTaskDefinition",
"ecs:ListTaskDefinitions",
"ecs:DescribeTaskDefinition"
],
"Effect": "Allow",
"Resource": "*",
"Sid": "RegisterTaskDefinition"
},
{
"Action": [
"iam:PassRole"
],
"Effect": "Allow",
"Resource": "*",
"Sid": "PassRolesInTaskDefinition"
},
{
"Action": [
"ecs:UpdateService",
"ecs:DescribeServices"
],
"Effect": "Allow",
"Resource": "*",
"Sid": "DeployService"
},
{
"Action": [
"ecs:RunTask",
"ecs:DescribeTasks"
],
"Effect": "Allow",
"Resource": "*",
"Sid": "RunAndWaitTask"
}
],
"Version": "2012-10-17"
}