AWS Elastic Beanstalk
开发人员指南
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 Amazon AWS 入门

Elastic Beanstalk 用户策略

为使用 Elastic Beanstalk 的每个人创建 IAM 用户,以避免使用根账户或者共享凭证。为了提高安全性,请只向这些用户授予访问所需服务和功能的权限。

Elastic Beanstalk 不仅需要其自身的 API 操作的权限,还需要其他 AWS 服务的权限。Elastic Beanstalk 使用用户权限启动环境中的所有资源,包括 EC2 实例、Elastic Load Balancing 负载均衡器和 Auto Scaling 组。Elastic Beanstalk 还使用用户权限将日志和模板保存到 Amazon Simple Storage Service (Amazon S3)、向 Amazon SNS 发送通知、分配实例配置文件以及向 CloudWatch 发布指标。Elastic Beanstalk 需要 AWS CloudFormation 权限以协调资源部署和更新。它还需要 Amazon RDS 权限以根据需要创建数据库,需要 Amazon SQS 权限为工作线程环境创建队列。

以下策略允许访问用于创建和管理 Elastic Beanstalk 环境的操作。此策略在 IAM 控制台中作为名为 AWSElasticBeanstalkFullAccess 的托管策略提供。您可以将该托管策略应用于 IAM 用户或组以授予使用 Elastic Beanstalk 的权限,或创建您自己的策略以排除您的用户不需要的权限。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticbeanstalk:*", "ec2:*", "ecs:*", "ecr:*", "elasticloadbalancing:*", "autoscaling:*", "cloudwatch:*", "s3:*", "sns:*", "cloudformation:*", "dynamodb:*", "rds:*", "sqs:*", "logs:*", "iam:GetPolicyVersion", "iam:GetRole", "iam:PassRole", "iam:ListRolePolicies", "iam:ListAttachedRolePolicies", "iam:ListInstanceProfiles", "iam:ListRoles", "iam:ListServerCertificates", "acm:DescribeCertificate", "acm:ListCertificates", "codebuild:CreateProject", "codebuild:DeleteProject", "codebuild:BatchGetBuilds", "codebuild:StartBuild" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:AddRoleToInstanceProfile", "iam:CreateInstanceProfile", "iam:CreateRole" ], "Resource": [ "arn:aws-cn:iam::*:role/aws-elasticbeanstalk*", "arn:aws-cn:iam::*:instance-profile/aws-elasticbeanstalk*" ] }, { "Effect": "Allow", "Action": [ "iam:CreateServiceLinkedRole" ], "Resource": [ "arn:aws-cn:iam::*:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling*" ], "Condition": { "StringLike": { "iam:AWSServiceName": "autoscaling.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "iam:CreateServiceLinkedRole" ], "Resource": [ "arn:aws-cn:iam::*:role/aws-service-role/elasticbeanstalk.amazonaws.com/AWSServiceRoleForElasticBeanstalk*" ], "Condition": { "StringLike": { "iam:AWSServiceName": "elasticbeanstalk.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "iam:AttachRolePolicy" ], "Resource": "*", "Condition": { "StringLike": { "iam:PolicyArn": [ "arn:aws-cn:iam::aws:policy/AWSElasticBeanstalk*", "arn:aws-cn:iam::aws:policy/service-role/AWSElasticBeanstalk*" ] } } } ] }

Elastic Beanstalk 还提供名为 AWSElasticBeanstalkReadOnlyAccess 的只读托管策略。此策略允许用户查看但不允许修改或创建 Elastic Beanstalk 环境。

有关用户策略的详细信息,请参阅控制对 Elastic Beanstalk 的访问