AWS
IAM
vpc

AWSで特定のVPC下での操作の許可するIAM Policy

More than 3 years have passed since last update.

主に誤操作防止用に。


注意

RDSのはIAM Policy Simulatorでは通るにも関わらず、何故かManaged Policyにすると動かないという謎の挙動。Inline Policyだと動く。バグ?(2015/7/3現在)


EC2


  • 起動はvpc-abcd1234でVPC IDを指定して限定可能

  • 停止等はec2:Vpcのresource level permissionが使えないので Vpc: myvpc等のタグで限定(ec2:CreateTagsはそもそも制限不可能なのであまり厳密ではないが)

{

"Version": "2012-10-17",
"Statement": [
{
"Sid": "UnsupportedResourceLevelPermissions",
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"ec2:*Tags",
"ec2:Get*",
"ec2:*KeyPair",
"ec2:AllocateAddress",
"ec2:AssociateAddress",
"ec2:AttachNetworkInterface",
"ec2:AttachVolume",
"ec2:CancelSpotInstanceRequests",
"ec2:CopyImage",
"ec2:CopySnapshot",
"ec2:CreateImage",
"ec2:CreateSnapshot",
"ec2:CreateVolume",
"ec2:DeleteSnapshot",
"ec2:DeleteVolume",
"ec2:DetachNetworkInterface",
"ec2:DetachVolume",
"ec2:DisassociateAddress",
"ec2:EnableVolumeIO",
"ec2:ModifyImageAttribute",
"ec2:ModifyInstanceAttribute",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:ModifySnapshotAttribute",
"ec2:ModifyVolumeAttribute",
"ec2:MonitorInstances",
"ec2:ReleaseAddress",
"ec2:ReportInstanceStatus",
"ec2:RequestSpotInstances",
"ec2:UnmonitorInstances"
],
"Resource": "*"
},
{
"Sid": "LaunchInstanceInSubnetMyVpc",
"Effect": "Allow",
"Action": [
"ec2:RunInstances"
],
"Resource": "arn:aws:ec2:ap-northeast-1:123456789000:subnet/*",
"Condition": {
"StringEquals": {
"ec2:Vpc": "arn:aws:ec2:ap-northeast-1:123456789000:vpc/vpc-abcd1234"
}
}
},
{
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:ap-northeast-1::image/*",
"arn:aws:ec2:ap-northeast-1:123456789000:instance/*",
"arn:aws:ec2:ap-northeast-1:123456789000:volume/*",
"arn:aws:ec2:ap-northeast-1:123456789000:network-interface/*",
"arn:aws:ec2:ap-northeast-1:123456789000:key-pair/*",
"arn:aws:ec2:ap-northeast-1:123456789000:security-group/*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:TerminateInstances",
"ec2:StopInstances",
"ec2:StartInstances",
"ec2:RebootInstances"
],
"Resource": [
"arn:aws:ec2:ap-northeast-1:123456789000:instance/*"
],
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Vpc": "myvpc"
}
}
}
]
}


DB


  • 起動に関してはVPC IDの指定が使えないのでVPCに紐付いたdb subnet groupのpredefined key(rds:subgrp-tag)にタグを付けて限定(一見rds:Vpcで出来るように見えるが、こちらはVPC内で実行するか否かのkey)

  • 削除はEC2同様、タグで限定。(rds:db-tagのpredefined key)

{

"Version": "2012-10-17",
"Statement": [
{
"Sid": "UnsupportedResourceLevelPermissions",
"Effect": "Allow",
"Action": [
"ec2:Describe*"
],
"Resource": "*"
},
{
"Sid": "LaunchRDSInSubnetMyVpc",
"Effect": "Allow",
"Action": [
"rds:CreateDBInstanc*",
"rds:RestoreDBInstanc*"
],
"Resource": "*",
"Condition": {
"StringLike": {
"rds:subgrp-tag/Vpc": [
"myvpc"
]
}
}
},
{
"Sid": "DeleteRDSWithTag",
"Effect": "Allow",
"Action": [
"rds:DeleteDBInstance"
],
"Resource": "*",
"Condition": {
"StringLike": {
"rds:db-tag/Vpc": [
"myvpc"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"rds:A*",
"rds:Copy*",
"rds:CreateDB*Group",
"rds:CreateDBSnapshot",
"rds:EventSubscription",
"rds:DeleteDB*Group",
"rds:DeleteDBSnapshot",
"rds:Describe*",
"rds:DownloadDBLogFilePortion",
"rds:ListTagsForResource",
"rds:Modify*",
"rds:PromoteReadReplica",
"rds:RebootDBInstance",
"rds:Remove*",
"rds:ResetDBParameterGroup",
"rds:RevokeDBSecurityGroupIngress"
],
"Resource": "*"
}
]
}


参考

http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-supported-iam-actions-resources.html

http://docs.aws.amazon.com/AWSEC2/latest/APIReference/ec2-api-permissions.html#ec2-api-unsupported-resource-permissions

http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAM.html

http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAM.ResourcePermissions.html