Amazon EC2 Systems Manager
用户指南
AWS 服务或AWS文档中描述的功能,可能因地区/位置而异。点 击 Getting Started with Amazon AWS to see specific differences applicable to the China (Beijing) Region.

基于实例标签限制 Run Command 访问

您必须为执行命令的任何用户配置 AWS Identity and Access Management (IAM) 用户策略,并为处理命令的任何实例配置 IAM 实例配置文件角色 (如配置对 Systems Manager 的访问权限中所述),然后才能使用 Run Command 管理实例。您可以通过创建一个 IAM 用户策略将命令执行进一步限制为特定实例,该用户策略包含一个条件,规定用户仅可以对使用特定 Amazon EC2 标签标记的实例执行命令。在以下示例中,用户可以通过使用任何实例 (Resource: arn:aws:ec2:*:*:instance/*) 上的任何 SSM 文档 (Resource: arn:aws:ssm:*:*:document/*) 使用 Run Command (Effect: Allow、Action: ssm:SendCommand),条件是该实例是 Finance WebServer (ssm:resourceTag/Finance: WebServer)。如果用户向未设置标签或具有除 Finance: WebServer 以外的任意标签的实例发送命令,则执行结果将显示 AccessDenied

Copy
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "ssm:SendCommand" ], "Resource":[ "arn:aws:ssm:*:*:document/*" ] }, { "Effect":"Allow", "Action":[ "ssm:SendCommand" ], "Resource":[ "arn:aws:ec2:*:*:instance/*" ], "Condition":{ "StringLike":{ "ssm:resourceTag/Finance":[ "WebServers" ] } } } ] }

您可以创建支持用户对使用多个标签进行标记的实例执行命令的 IAM 策略。以下策略支持用户对具有两个标签的实例执行命令。如果用户向未使用这两个标签标记的实例发送命令,则执行结果将显示 AccessDenied

Copy
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "ssm:SendCommand" ], "Resource":"*", "Condition":{ "StringLike":{ "ssm:resourceTag/tag_key1":[ "tag_value1" ], "ssm:resourceTag/tag_key2":[ "tag_value2" ] } } }, { "Effect":"Allow", "Action":[ "ssm:SendCommand" ], "Resource":[ "arn:aws:ssm:us-west-1::document/AWS-*", "arn:aws:ssm:us-east-1::document/AWS-*" ] }, { "Effect":"Allow", "Action":[ "ssm:UpdateInstanceInformation", "ssm:ListCommands", "ssm:ListCommandInvocations", "ssm:GetDocument" ], "Resource":"*" } ] }

您也可以创建支持用户对多个标记的实例组执行命令的 IAM 策略。以下策略支持用户对任一标记的实例组或两个标记的实例组执行命令。

Copy
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "ssm:SendCommand" ], "Resource":"*", "Condition":{ "StringLike":{ "ssm:resourceTag/tag_key1":[ "tag_value1" ] } } }, { "Effect":"Allow", "Action":[ "ssm:SendCommand" ], "Resource":"*", "Condition":{ "StringLike":{ "ssm:resourceTag/tag_key2":[ "tag_value2" ] } } }, { "Effect":"Allow", "Action":[ "ssm:SendCommand" ], "Resource":[ "arn:aws:ssm:us-west-1::document/AWS-*", "arn:aws:ssm:us-east-1::document/AWS-*" ] }, { "Effect":"Allow", "Action":[ "ssm:UpdateInstanceInformation", "ssm:ListCommands", "ssm:ListCommandInvocations", "ssm:GetDocument" ], "Resource":"*" } ] }

有关创建 IAM 用户策略的更多信息,请参阅 IAM User Guide 中的托管策略与内联策略。有关标记实例的更多信息,请参阅 Amazon EC2 User Guide for Linux Instances 的标记您的 Amazon EC2 资源 (内容适用于 Windows 和 Linux 实例)。