Amazon ECS
AWS Fargate 用户指南 (API 版本 2014-11-13)
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 AWS 服务入门

Amazon Elastic Container Service 基于身份的策略示例

默认情况下,IAM 用户和角色没有创建或修改 Amazon ECS 资源的权限。它们还无法使用 AWS 管理控制台、AWS CLI 或 AWS API 执行任务。IAM 管理员必须创建 IAM 策略,为用户和角色授予权限,以便对他们所需的指定资源执行特定的 API 操作。然后,管理员必须将这些策略附加到需要这些权限的 IAM 用户或组。

要了解如何使用这些示例 JSON 策略文档创建 IAM 基于身份的策略,请参阅 IAM 用户指南 中的 JSON 选项卡上的创建策略

策略最佳实践

Identity-based policies are very powerful. They determine whether someone can create, access, or delete Amazon ECS resources in your account. These actions can incur costs for your AWS account. When you create or edit identity-based policies, follow these guidelines and recommendations:

  • Get Started Using AWS Managed Policies – To start using Amazon ECS quickly, use AWS managed policies to give your employees the permissions they need. These policies are already available in your account and are maintained and updated by AWS. For more information, see Get Started Using Permissions With AWS Managed Policies in the IAM 用户指南.

  • Grant Least Privilege – When you create custom policies, grant only the permissions required to perform a task. Start with a minimum set of permissions and grant additional permissions as necessary. Doing so is more secure than starting with permissions that are too lenient and then trying to tighten them later. For more information, see Grant Least Privilege in the IAM 用户指南.

  • Enable MFA for Sensitive Operations – For extra security, require IAM users to use multi-factor authentication (MFA) to access sensitive resources or API operations. For more information, see Using Multi-Factor Authentication (MFA) in AWS in the IAM 用户指南.

  • Use Policy Conditions for Extra Security – To the extent that it's practical, define the conditions under which your identity-based policies allow access to a resource. For example, you can write conditions to specify a range of allowable IP addresses that a request must come from. You can also write conditions to allow requests only within a specified date or time range, or to require the use of SSL or MFA. For more information, see IAM JSON Policy Elements: Condition in the IAM 用户指南.

允许用户查看他们自己的权限

This example shows how you might create a policy that allows IAM users to view the inline and managed policies that are attached to their user identity. This policy includes permissions to complete this action on the console or programmatically using the AWS CLI or AWS API.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "ViewOwnUserInfo", "Effect": "Allow", "Action": [ "iam:GetUserPolicy", "iam:ListGroupsForUser", "iam:ListAttachedUserPolicies", "iam:ListUserPolicies", "iam:GetUser" ], "Resource": [ "arn:aws-cn:iam::*:user/${aws:username}" ] }, { "Sid": "NavigateInConsole", "Effect": "Allow", "Action": [ "iam:GetGroupPolicy", "iam:GetPolicyVersion", "iam:GetPolicy", "iam:ListAttachedGroupPolicies", "iam:ListGroupPolicies", "iam:ListPolicyVersions", "iam:ListPolicies", "iam:ListUsers" ], "Resource": "*" } ] }

Amazon ECS 首次运行向导权限

Amazon ECS 首次运行向导简化了创建集群并运行您的任务和服务的过程。不过,用户需要通过多种 AWS 服务来获得执行许多 API 操作的权限才能完成此向导。以下 AmazonECS_FullAccess 托管策略说明完成 Amazon ECS 首次运行向导所需的权限。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "application-autoscaling:DeleteScalingPolicy", "application-autoscaling:DeregisterScalableTarget", "application-autoscaling:DescribeScalableTargets", "application-autoscaling:DescribeScalingActivities", "application-autoscaling:DescribeScalingPolicies", "application-autoscaling:PutScalingPolicy", "application-autoscaling:RegisterScalableTarget", "autoscaling:UpdateAutoScalingGroup", "autoscaling:CreateAutoScalingGroup", "autoscaling:CreateLaunchConfiguration", "autoscaling:DeleteAutoScalingGroup", "autoscaling:DeleteLaunchConfiguration", "autoscaling:Describe*", "cloudformation:CreateStack", "cloudformation:DeleteStack", "cloudformation:DescribeStack*", "cloudformation:UpdateStack", "cloudwatch:DescribeAlarms", "cloudwatch:DeleteAlarms", "cloudwatch:GetMetricStatistics", "cloudwatch:PutMetricAlarm", "codedeploy:CreateApplication", "codedeploy:CreateDeployment", "codedeploy:CreateDeploymentGroup", "codedeploy:GetApplication", "codedeploy:GetDeployment", "codedeploy:GetDeploymentGroup", "codedeploy:ListApplications", "codedeploy:ListDeploymentGroups", "codedeploy:ListDeployments", "codedeploy:StopDeployment", "codedeploy:GetDeploymentTarget", "codedeploy:ListDeploymentTargets", "codedeploy:GetDeploymentConfig", "codedeploy:GetApplicationRevision", "codedeploy:RegisterApplicationRevision", "codedeploy:BatchGetApplicationRevisions", "codedeploy:BatchGetDeploymentGroups", "codedeploy:BatchGetDeployments", "codedeploy:BatchGetApplications", "codedeploy:ListApplicationRevisions", "codedeploy:ListDeploymentConfigs", "codedeploy:ContinueDeployment", "sns:ListTopics", "lambda:ListFunctions", "ec2:AssociateRouteTable", "ec2:AttachInternetGateway", "ec2:AuthorizeSecurityGroupIngress", "ec2:CancelSpotFleetRequests", "ec2:CreateInternetGateway", "ec2:CreateLaunchTemplate", "ec2:CreateRoute", "ec2:CreateRouteTable", "ec2:CreateSecurityGroup", "ec2:CreateSubnet", "ec2:CreateVpc", "ec2:DeleteLaunchTemplate", "ec2:DeleteSubnet", "ec2:DeleteVpc", "ec2:Describe*", "ec2:DetachInternetGateway", "ec2:DisassociateRouteTable", "ec2:ModifySubnetAttribute", "ec2:ModifyVpcAttribute", "ec2:RunInstances", "ec2:RequestSpotFleet", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateLoadBalancer", "elasticloadbalancing:CreateRule", "elasticloadbalancing:CreateTargetGroup", "elasticloadbalancing:DeleteListener", "elasticloadbalancing:DeleteLoadBalancer", "elasticloadbalancing:DeleteRule", "elasticloadbalancing:DeleteTargetGroup", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeRules", "elasticloadbalancing:DescribeTargetGroups", "ecs:*", "events:DescribeRule", "events:DeleteRule", "events:ListRuleNamesByTarget", "events:ListTargetsByRule", "events:PutRule", "events:PutTargets", "events:RemoveTargets", "iam:ListAttachedRolePolicies", "iam:ListInstanceProfiles", "iam:ListRoles", "logs:CreateLogGroup", "logs:DescribeLogGroups", "logs:FilterLogEvents", "route53:GetHostedZone", "route53:ListHostedZonesByName", "route53:CreateHostedZone", "route53:DeleteHostedZone", "route53:GetHealthCheck", "servicediscovery:CreatePrivateDnsNamespace", "servicediscovery:CreateService", "servicediscovery:GetNamespace", "servicediscovery:GetOperation", "servicediscovery:GetService", "servicediscovery:ListNamespaces", "servicediscovery:ListServices", "servicediscovery:UpdateService" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "ssm:GetParametersByPath", "ssm:GetParameters", "ssm:GetParameter" ], "Resource": "arn:aws:ssm:*:*:parameter/aws/service/ecs*" }, { "Effect": "Allow", "Action": [ "ec2:DeleteInternetGateway", "ec2:DeleteRoute", "ec2:DeleteRouteTable", "ec2:DeleteSecurityGroup" ], "Resource": [ "*" ], "Condition": { "StringLike": { "ec2:ResourceTag/aws:cloudformation:stack-name": "EC2ContainerService-*" } } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": [ "*" ], "Condition": { "StringLike": { "iam:PassedToService": "ecs-tasks.amazonaws.com" } } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": [ "arn:aws:iam::*:role/ecsInstanceRole*" ], "Condition": { "StringLike": { "iam:PassedToService": [ "ec2.amazonaws.com", "ec2.amazonaws.com.cn" ] } } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": [ "arn:aws:iam::*:role/ecsAutoscaleRole*" ], "Condition": { "StringLike": { "iam:PassedToService": [ "application-autoscaling.amazonaws.com", "application-autoscaling.amazonaws.com.cn" ] } } }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringLike": { "iam:AWSServiceName": [ "ecs.amazonaws.com", "spot.amazonaws.com", "spotfleet.amazonaws.com", "ecs.application-autoscaling.amazonaws.com", "autoscaling.amazonaws.com" ] } } } ] }

首次运行向导还会尝试自动创建不同的 IAM 角色,具体取决于所用的任务启动类型。例如,Amazon ECS 服务角色、容器实例 IAM 角色和任务执行 IAM 角色。要确保首次运行时能够创建这些 IAM 角色,必须满足以下条件之一:

集群示例

以下 IAM 策略授予创建和列出集群所需的权限。CreateClusterListClusters 操作不接受任何资源,因此,所有资源的资源定义将设置为 *

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:CreateCluster", "ecs:ListClusters" ], "Resource": [ "*" ] } ] }

以下 IAM 策略授予描述和删除特定集群所需的权限。DescribeClustersDeleteCluster 操作将集群 ARN 接受为资源。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeCluster", "ecs:DeleteCluster" ], "Resource": [ "arn:aws:ecs:us-east-1:<aws_account_id>:cluster/<cluster_name>" ] } ] }

以下 IAM 策略可附加到用户或组,该策略仅允许用户或组对特定集群执行操作。

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ecs:Describe*", "ecs:List*" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "ecs:DeleteCluster", "ecs:DeregisterContainerInstance", "ecs:ListContainerInstances", "ecs:RegisterContainerInstance", "ecs:SubmitContainerStateChange", "ecs:SubmitTaskStateChange" ], "Effect": "Allow", "Resource": "arn:aws:ecs:us-east-1:<aws_account_id>:cluster/default" }, { "Action": [ "ecs:DescribeContainerInstances", "ecs:DescribeTasks", "ecs:ListTasks", "ecs:UpdateContainerAgent", "ecs:StartTask", "ecs:StopTask", "ecs:RunTask" ], "Effect": "Allow", "Resource": "*", "Condition": { "ArnEquals": { "ecs:cluster": "arn:aws:ecs:us-east-1:<aws_account_id>:cluster/default" } } } ] }

列出并描述任务示例

以下 IAM 策略可让用户列出指定集群的任务:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:ListTasks" ], "Condition": { "ArnEquals": { "ecs:cluster": "arn:aws:ecs:<region>:<aws_account_id>:cluster/<cluster_name>" } }, "Resource": [ "*" ] } ] }

以下 IAM 策略可让用户描述指定集群中的指定任务:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeTasks" ], "Condition": { "ArnEquals": { "ecs:cluster": "arn:aws:ecs:<region>:<aws_account_id>:cluster/<cluster_name>" } }, "Resource": [ "arn:aws:ecs:<region>:<aws_account_id>:task/<task_UUID>" ] } ] }

创建服务示例

以下 IAM 策略允许用户在 AWS 管理控制台中创建 Amazon ECS 服务:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "application-autoscaling:Describe*", "application-autoscaling:PutScalingPolicy", "application-autoscaling:RegisterScalableTarget", "cloudwatch:DescribeAlarms", "cloudwatch:PutMetricAlarm", "ecs:List*", "ecs:Describe*", "ecs:CreateService", "elasticloadbalancing:Describe*", "iam:AttachRolePolicy", "iam:CreateRole", "iam:GetPolicy", "iam:GetPolicyVersion", "iam:GetRole", "iam:ListAttachedRolePolicies", "iam:ListRoles", "iam:ListGroups", "iam:ListUsers" ], "Resource": [ "*" ] } ] }

更新服务示例

以下 IAM 允许 AWS 管理控制台中更新 Amazon ECS 服务:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "application-autoscaling:Describe*", "application-autoscaling:PutScalingPolicy", "application-autoscaling:DeleteScalingPolicy", "application-autoscaling:RegisterScalableTarget", "cloudwatch:DescribeAlarms", "cloudwatch:PutMetricAlarm", "ecs:List*", "ecs:Describe*", "ecs:UpdateService", "iam:AttachRolePolicy", "iam:CreateRole", "iam:GetPolicy", "iam:GetPolicyVersion", "iam:GetRole", "iam:ListAttachedRolePolicies", "iam:ListRoles", "iam:ListGroups", "iam:ListUsers" ], "Resource": [ "*" ] } ] }

基于标签描述 Amazon ECS 服务

您可以在基于身份的策略中使用条件,以便基于标签控制对 Amazon ECS 资源的访问。此示例显示如何创建允许描述服务的策略。但是,仅当服务标签 Owner 具有该用户的用户名的值时,才授予此权限。此策略还授予在控制台上完成此操作的必要权限。

{ "Version": "2012-10-17", "Statement": [ { "Sid": "DescribeServices", "Effect": "Allow", "Action": "ecs:DescribeServices", "Resource": "*" }, { "Sid": "ViewServiceIfOwner", "Effect": "Allow", "Action": "ecs:DescribeServices", "Resource": "arn:aws-cn:ecs:*:*:service/*", "Condition": { "StringEquals": {"ecs:ResourceTag/Owner": "${aws:username}"} } } ] }

您可以将此策略附加到您账户中的 IAM 用户。如果名为 richard-roe 的用户尝试描述 Amazon ECS 服务,则服务必须标记为 Owner=richard-roeowner=richard-roe。否则,他会被拒绝访问。条件标签键 Owner 匹配 Ownerowner,因为条件键名称不区分大小写。有关更多信息,请参阅 IAM 用户指南 中的 IAM JSON 策略元素:Condition