AWS Systems Manager
用户指南
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 Amazon AWS 入门

基于实例标签限制 Run Command 访问

您可以通过创建一个 IAM 用户策略将命令执行进一步限制为特定实例,该用户策略包含一个条件,规定用户仅可以对使用特定 Amazon EC2 标签标记的实例执行命令。在以下示例中,用户可以通过使用任何实例 (Resource: arn:aws:ec2:*:*:instance/*) 上的任何 SSM 文档 (Resource: arn:aws:ssm:*:*:document/*) 使用 Run Command (Effect: Allow、Action: ssm:SendCommand),条件是该实例是 Finance WebServer (ssm:resourceTag/Finance: WebServer)。如果用户向未设置标签或具有除 Finance: WebServer 以外的任意标签的实例发送命令,则执行结果将显示 AccessDenied

{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "ssm:SendCommand" ], "Resource":[ "arn:aws:ssm:*:*:document/*" ] }, { "Effect":"Allow", "Action":[ "ssm:SendCommand" ], "Resource":[ "arn:aws:ec2:*:*:instance/*" ], "Condition":{ "StringLike":{ "ssm:resourceTag/Finance":[ "WebServers" ] } } } ] }

您可以创建支持用户对使用多个标签进行标记的实例执行命令的 IAM 策略。以下策略支持用户对具有两个标签的实例执行命令。如果用户向未使用这两个标签标记的实例发送命令,则执行结果将显示 AccessDenied

{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "ssm:SendCommand" ], "Resource":"*", "Condition":{ "StringLike":{ "ssm:resourceTag/tag_key1":[ "tag_value1" ], "ssm:resourceTag/tag_key2":[ "tag_value2" ] } } }, { "Effect":"Allow", "Action":[ "ssm:SendCommand" ], "Resource":[ "arn:aws:ssm:us-west-1::document/AWS-*", "arn:aws:ssm:us-west-2::document/AWS-*" ] }, { "Effect":"Allow", "Action":[ "ssm:UpdateInstanceInformation", "ssm:ListCommands", "ssm:ListCommandInvocations", "ssm:GetDocument" ], "Resource":"*" } ] }

您也可以创建支持用户对多个标记的实例组执行命令的 IAM 策略。以下策略支持用户对任一标记的实例组或两个标记的实例组执行命令。

{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "ssm:SendCommand" ], "Resource":"*", "Condition":{ "StringLike":{ "ssm:resourceTag/tag_key1":[ "tag_value1" ] } } }, { "Effect":"Allow", "Action":[ "ssm:SendCommand" ], "Resource":"*", "Condition":{ "StringLike":{ "ssm:resourceTag/tag_key2":[ "tag_value2" ] } } }, { "Effect":"Allow", "Action":[ "ssm:SendCommand" ], "Resource":[ "arn:aws:ssm:us-west-1::document/AWS-*", "arn:aws:ssm:us-west-2::document/AWS-*" ] }, { "Effect":"Allow", "Action":[ "ssm:UpdateInstanceInformation", "ssm:ListCommands", "ssm:ListCommandInvocations", "ssm:GetDocument" ], "Resource":"*" } ] }

有关创建 IAM 用户策略的更多信息,请参阅 IAM User Guide 中的托管策略与内联策略。有关标记实例的更多信息,请参阅 Amazon EC2 User Guide for Linux Instances 的标记您的 Amazon EC2 资源 (内容适用于 Windows 和 Linux 实例)。