本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
使用适用于 EC2 Image Builder 的托管策略
Amazon 托管策略是由创建和管理的独立策略 Amazon。 Amazon 托管策略旨在为许多常见用例提供权限,以便您可以开始为用户、组和角色分配权限。
请记住, Amazon 托管策略可能不会为您的特定用例授予最低权限权限,因为它们可供所有 Amazon 客户使用。我们建议通过定义特定于您的使用场景的客户管理型策略来进一步减少权限。
您无法更改 Amazon 托管策略中定义的权限。如果 Amazon 更新 Amazon 托管策略中定义的权限,则更新会影响该策略所关联的所有委托人身份(用户、组和角色)。 Amazon 最有可能在启动新的 API 或现有服务可以使用新 Amazon Web Service 的 API 操作时更新 Amazon 托管策略。
有关更多信息,请参阅《IAM 用户指南》中的 Amazon 托管式策略。
AWSImageBuilderFullAccess 策略
该 AWSImageBuilderFullAccess 策略授予所附加角色对 Image Builder 资源的完全访问权限,允许该角色列出、描述、创建、更新和删除 Image Builder 资源。该策略还向相关 Amazon Web Services 人员授予所需的定向权限,例如验证资源或在中显示账户的当前资源 Amazon Web Services Management Console。
权限详细信息
该策略包含以下权限:
-
Image Builder – 授予管理权限,使该角色可以列出、描述、创建、更新和删除 Image Builder 资源。
-
Amazon EC2 – 授予 Amazon EC2 Describe 操作的访问权限,这些操作是验证资源是否存在或获取属于账户的资源列表所必需的。
-
IAM – 授予访问权限以获取和使用名称包含“imagebuilder”的实例配置文件,通过
iam:GetRoleAPI 操作验证 Image Builder 服务相关角色是否存在,以及创建 Image Builder 服务相关角色。 -
License Manager – 授予访问权限,以列出资源的许可证配置或许可证。
-
Amazon S3 – 授予访问权限,以列出属于该账户的存储桶,以及名称中带有“imagebuilder”的 Image Builder 存储桶。
-
Amazon SNS – 向 Amazon SNS 授予写入权限,以验证包含“imagebuilder”的主题的主题所有权。
策略示例
以下是 AWSImageBuilderFullAccess 策略的示例。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "imagebuilder:*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "sns:ListTopics" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "sns:Publish" ], "Resource": "arn:aws:sns:*:*:*imagebuilder*" }, { "Effect": "Allow", "Action": [ "license-manager:ListLicenseConfigurations", "license-manager:ListLicenseSpecificationsForResource" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:GetRole" ], "Resource": "arn:aws:iam::*:role/aws-service-role/imagebuilder.amazonaws.com/AWSServiceRoleForImageBuilder" }, { "Effect": "Allow", "Action": [ "iam:GetInstanceProfile" ], "Resource": "arn:aws:iam::*:instance-profile/*imagebuilder*" }, { "Effect": "Allow", "Action": [ "iam:ListInstanceProfiles", "iam:ListRoles" ], "Resource": "*" }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": [ "arn:aws:iam::*:instance-profile/*imagebuilder*", "arn:aws:iam::*:role/*imagebuilder*" ], "Condition": { "StringEquals": { "iam:PassedToService": "ec2.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:GetBucketLocation" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": "arn:aws:s3::*:*imagebuilder*" }, { "Action": "iam:CreateServiceLinkedRole", "Effect": "Allow", "Resource": "arn:aws:iam::*:role/aws-service-role/imagebuilder.amazonaws.com/AWSServiceRoleForImageBuilder", "Condition": { "StringLike": { "iam:AWSServiceName": "imagebuilder.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "ec2:DescribeImages", "ec2:DescribeSnapshots", "ec2:DescribeVpcs", "ec2:DescribeRegions", "ec2:DescribeVolumes", "ec2:DescribeSubnets", "ec2:DescribeKeyPairs", "ec2:DescribeSecurityGroups", "ec2:DescribeInstanceTypeOfferings", "ec2:DescribeLaunchTemplates" ], "Resource": "*" } ] }
AWSImageBuilderReadOnlyAccess 策略
AWSImageBuilderReadOnlyAccess 策略提供对所有 Image Builder 资源的只读访问权限。授予权限以通过 iam:GetRole API 操作验证 Image Builder 服务相关角色是否存在。
权限详细信息
该策略包含以下权限:
-
Image Builder – 授予对 Image Builder 资源的只读访问权限。
-
IAM – 授予访问权限,以通过
iam:GetRoleAPI 操作验证 Image Builder 服务相关角色是否存在。
策略示例
以下是 AWSImageBuilderReadOnlyAccess 策略的示例。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "imagebuilder:Get*", "imagebuilder:List*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:GetRole" ], "Resource": "arn:aws:iam::*:role/aws-service-role/imagebuilder.amazonaws.com/AWSServiceRoleForImageBuilder" } ] }
AWSServiceRoleForImageBuilder 策略
该AWSServiceRoleForImageBuilder政策允许 Image Builder Amazon Web Services 代表您致电。
权限详细信息
通过 Systems Manager 创建 Image Builder 服务相关角色时,该策略将附加到该角色。要查看授予的特定权限,请参阅本部分中的策略示例。有关 Image Builder 服务相关角色的更多信息,请参阅 使用 EC2 Image Builder 的服务相关角色。
此策略包含以下权限:
-
CloudWatch 日志-授予创建 CloudWatch 日志并将其上传到名称以开头的任何日志组的访问权限
/aws/imagebuilder/。 -
Amazon EC2 – 只要正在创建或使用的映像、实例和卷已标记为
CreatedBy: EC2 Image Builder或CreatedBy: EC2 Fast Launch,就可以根据需要使用相关的快照、卷、网络接口、子网、安全组、许可证配置和密钥对,授予 Image Builder 访问权限以在您的账户中创建映像和启动 EC2 实例。Image Builder 可以获取以下有关信息:Amazon EC2 映像、实例属性、实例状态、账户可用的实例类型、启动模板、子网、主机和 Amazon EC2 资源上的标签。
Image Builder 可以更新映像设置,以启用或禁用账户中的 Windows 实例快速启动(其中映像标有
CreatedBy: EC2 Image Builder)。此外,Image Builder 可以启动、停止和终止账户中运行的实例,还可以共享 Amazon EBS 快照、创建和更新映像和启动模板,注销现有映像,添加标签,以及在您通过 Ec2ImageBuilderCrossAccountDistributionAccess 策略授予权限的账户之间复制映像。如前所述,所有这些操作都需要使用 Image Builder 标记。
-
Amazon ECR – 向 Image Builder 授予访问权限,在需要进行容器映像漏洞扫描时创建存储库,并为其创建的资源添加标签,以限制其操作范围。Image Builder 还被授予访问权限,以在获取漏洞快照后删除其为扫描创建的容器映像。
-
EventBridge— 授予 Image Builder 创建和管理 EventBridge 规则的权限。
-
IAM – 向 Image Builder 授予访问权限,以将您账户中的任意角色传递给 Amazon EC2 和 VM Import/Export。
-
Amazon Inspector – 向 Image Builder 授予访问权限,以确定 Amazon Inspector 何时完成构建实例扫描,并收集配置为允许扫描的映像的结果。
-
Amazon KMS:向 Amazon EBS 授予访问权限,以加密、解密或重新加密 Amazon EBS 卷。这一点非常重要,可以确保当 Image Builder 构建映像时,加密卷能够正常工作。
-
License Manager – 向 Image Builder 授予访问权限,以通过
license-manager:UpdateLicenseSpecificationsForResource更新 License Manager 规格。 -
Amazon SNS – 向账户中的任何 Amazon SNS 主题都授予写入权限。
-
Systems Manager – 向 Image Builder 授予访问权限,以列出 Systems Manager 命令及其调用、清单条目、描述实例信息和自动执行状态,并获取命令调用详细信息。Image Builder 还可以发送自动化信号,并停止对账户中任意资源的自动化执行。
Image Builder 能够向标记为
"CreatedBy": "EC2 Image Builder"的任何实例发出运行命令调用,用于以下脚本文件:AWS-RunPowerShellScript、AWS-RunShellScript和AWSEC2-RunSysprep。Image Builder 能够在账户中启动 Systems Manager 自动化执行,用于名称以ImageBuilder开头的自动化文档。Image Builder 还可以在账户中为任何实例创建或删除状态管理器关联(只要关联文档为
AWS-GatherSoftwareInventory),并且可以在账户中创建 Systems Manager 服务相关角色。 -
Amazon STS:向 Image Builder 授予访问权限,以将账户中名为 EC2ImageBuilderDistributionCrossAccountRole 的角色带入任何账户,前提是该角色的信任策略允许代入。这可用于跨账户映像分配。
策略示例
以下是 AWSServiceRoleForImageBuilder 策略的示例。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:RunInstances" ], "Resource": [ "arn:aws:ec2:*::image/*", "arn:aws:ec2:*::snapshot/*", "arn:aws:ec2:*:*:subnet/*", "arn:aws:ec2:*:*:network-interface/*", "arn:aws:ec2:*:*:security-group/*", "arn:aws:ec2:*:*:key-pair/*", "arn:aws:ec2:*:*:launch-template/*", "arn:aws:license-manager:*:*:license-configuration:*" ] }, { "Effect": "Allow", "Action": [ "ec2:RunInstances" ], "Resource": [ "arn:aws:ec2:*:*:volume/*", "arn:aws:ec2:*:*:instance/*" ], "Condition": { "StringEquals": { "aws:RequestTag/CreatedBy": [ "EC2 Image Builder", "EC2 Fast Launch" ] } } }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": "*", "Condition": { "StringEquals": { "iam:PassedToService": [ "ec2.amazonaws.com", "ec2.amazonaws.com.cn", "vmie.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": [ "ec2:StopInstances", "ec2:StartInstances", "ec2:TerminateInstances" ], "Resource": "*", "Condition": { "StringEquals": { "ec2:ResourceTag/CreatedBy": "EC2 Image Builder" } } }, { "Effect": "Allow", "Action": [ "ec2:CopyImage", "ec2:CreateImage", "ec2:CreateLaunchTemplate", "ec2:DeregisterImage", "ec2:DescribeImages", "ec2:DescribeInstanceAttribute", "ec2:DescribeInstanceStatus", "ec2:DescribeInstances", "ec2:DescribeInstanceTypeOfferings", "ec2:DescribeInstanceTypes", "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:ModifyImageAttribute", "ec2:DescribeImportImageTasks", "ec2:DescribeExportImageTasks", "ec2:DescribeSnapshots", "ec2:DescribeHosts" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:ModifySnapshotAttribute" ], "Resource": "arn:aws:ec2:*::snapshot/*", "Condition": { "StringEquals": { "ec2:ResourceTag/CreatedBy": "EC2 Image Builder" } } }, { "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": "*", "Condition": { "StringEquals": { "ec2:CreateAction": [ "RunInstances", "CreateImage" ], "aws:RequestTag/CreatedBy": [ "EC2 Image Builder", "EC2 Fast Launch" ] } } }, { "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": [ "arn:aws:ec2:*::image/*", "arn:aws:ec2:*:*:export-image-task/*" ] }, { "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": [ "arn:aws:ec2:*::snapshot/*", "arn:aws:ec2:*:*:launch-template/*" ], "Condition": { "StringEquals": { "aws:RequestTag/CreatedBy": [ "EC2 Image Builder", "EC2 Fast Launch" ] } } }, { "Effect": "Allow", "Action": [ "license-manager:UpdateLicenseSpecificationsForResource" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "sns:Publish" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ssm:ListCommands", "ssm:ListCommandInvocations", "ssm:AddTagsToResource", "ssm:DescribeInstanceInformation", "ssm:GetAutomationExecution", "ssm:StopAutomationExecution", "ssm:ListInventoryEntries", "ssm:SendAutomationSignal", "ssm:DescribeInstanceAssociationsStatus", "ssm:DescribeAssociationExecutions", "ssm:GetCommandInvocation" ], "Resource": "*" }, { "Effect": "Allow", "Action": "ssm:SendCommand", "Resource": [ "arn:aws:ssm:*:*:document/AWS-RunPowerShellScript", "arn:aws:ssm:*:*:document/AWS-RunShellScript", "arn:aws:ssm:*:*:document/AWSEC2-RunSysprep", "arn:aws:s3:::*" ] }, { "Effect": "Allow", "Action": [ "ssm:SendCommand" ], "Resource": [ "arn:aws:ec2:*:*:instance/*" ], "Condition": { "StringEquals": { "ssm:resourceTag/CreatedBy": [ "EC2 Image Builder" ] } } }, { "Effect": "Allow", "Action": "ssm:StartAutomationExecution", "Resource": "arn:aws:ssm:*:*:automation-definition/ImageBuilder*" }, { "Effect": "Allow", "Action": [ "ssm:CreateAssociation", "ssm:DeleteAssociation" ], "Resource": [ "arn:aws:ssm:*:*:document/AWS-GatherSoftwareInventory", "arn:aws:ssm:*:*:association/*", "arn:aws:ec2:*:*:instance/*" ] }, { "Effect": "Allow", "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncryptFrom", "kms:ReEncryptTo", "kms:GenerateDataKeyWithoutPlaintext" ], "Resource": "*", "Condition": { "ForAllValues:StringEquals": { "kms:EncryptionContextKeys": [ "aws:ebs:id" ] }, "StringLike": { "kms:ViaService": [ "ec2.*.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": [ "kms:DescribeKey" ], "Resource": "*", "Condition": { "StringLike": { "kms:ViaService": [ "ec2.*.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": "kms:CreateGrant", "Resource": "*", "Condition": { "Bool": { "kms:GrantIsForAWSResource": true }, "StringLike": { "kms:ViaService": [ "ec2.*.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::*:role/EC2ImageBuilderDistributionCrossAccountRole" }, { "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:CreateLogGroup", "logs:PutLogEvents" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/imagebuilder/*" }, { "Effect": "Allow", "Action": [ "ec2:CreateLaunchTemplateVersion", "ec2:DescribeLaunchTemplates", "ec2:ModifyLaunchTemplate", "ec2:DescribeLaunchTemplateVersions" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:ExportImage" ], "Resource": "arn:aws:ec2:*::image/*", "Condition": { "StringEquals": { "ec2:ResourceTag/CreatedBy": "EC2 Image Builder" } } }, { "Effect": "Allow", "Action": [ "ec2:ExportImage" ], "Resource": "arn:aws:ec2:*:*:export-image-task/*" }, { "Effect": "Allow", "Action": [ "ec2:CancelExportTask" ], "Resource": "arn:aws:ec2:*:*:export-image-task/*", "Condition": { "StringEquals": { "ec2:ResourceTag/CreatedBy": "EC2 Image Builder" } } }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringEquals": { "iam:AWSServiceName": [ "ssm.amazonaws.com", "ec2fastlaunch.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": [ "ec2:EnableFastLaunch" ], "Resource": [ "arn:aws:ec2:*::image/*", "arn:aws:ec2:*:*:launch-template/*" ], "Condition": { "StringEquals": { "ec2:ResourceTag/CreatedBy": "EC2 Image Builder" } } }, { "Effect": "Allow", "Action": [ "inspector2:ListCoverage", "inspector2:ListFindings" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ecr:CreateRepository" ], "Resource": "*", "Condition": { "StringEquals": { "aws:RequestTag/CreatedBy": "EC2 Image Builder" } } }, { "Effect": "Allow", "Action": [ "ecr:TagResource" ], "Resource": "arn:aws:ecr:*:*:repository/image-builder-*", "Condition": { "StringEquals": { "aws:RequestTag/CreatedBy": "EC2 Image Builder" } } }, { "Effect": "Allow", "Action": [ "ecr:BatchDeleteImage" ], "Resource": "arn:aws:ecr:*:*:repository/image-builder-*", "Condition": { "StringEquals": { "ecr:ResourceTag/CreatedBy": "EC2 Image Builder" } } }, { "Effect": "Allow", "Action": [ "events:DeleteRule", "events:DescribeRule", "events:PutRule", "events:PutTargets", "events:RemoveTargets" ], "Resource": [ "arn:aws:events:*:*:rule/ImageBuilder-*" ] } ] }
Ec2ImageBuilderCrossAccountDistributionAccess 策略
该 Ec2ImageBuilderCrossAccountDistributionAccess 策略向 Image Builder 授予权限,以在目标区域跨账户分配映像。此外,Image Builder 能够描述、复制和应用标签到账户中的任何 Amazon EC2 映像。该策略还允许通过 ec2:ModifyImageAttribute API 操作修改 AMI 权限。
权限详细信息
该策略包含以下权限:
-
Amazon EC2 – 向 Amazon EC2 授予访问权限,以描述、复制和修改映像的属性,以及为账户中的任何 Amazon EC2 映像创建标签。
策略示例
以下是 Ec2ImageBuilderCrossAccountDistributionAccess 策略的示例。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:CreateTags", "Resource": "arn:aws:ec2:*::image/*" }, { "Effect": "Allow", "Action": [ "ec2:DescribeImages", "ec2:CopyImage", "ec2:ModifyImageAttribute" ], "Resource": "*" } ] }
EC2ImageBuilderLifecycleExecutionPolicy 策略
EC2ImageBuilderLifecycleExecutionPolicy 策略授予 Image Builder 执行如弃用、禁用或删除 Image Builder 映像资源及其底层资源(AMI、快照)等操作的权限,以支持映像生命周期管理任务的自动化规则。
权限详细信息
该策略包含以下权限:
-
Amazon EC2 – 向 Amazon EC2 授予访问权限,以对账户中标记为
CreatedBy: EC2 Image Builder的亚马逊机器映像(AMI)执行以下操作。-
启用和禁用 AMI。
-
启用和禁用映像弃用。
-
描述和注销 AMI。
-
描述和修改 AMI 映像属性。
-
删除与 AMI 关联的卷快照。
-
检索资源的标签。
-
在 AMI 中添加或删除弃用标签。
-
-
Amazon ECR – 向 Amazon ECR 授予访问权限,以对具有
LifecycleExecutionAccess: EC2 Image Builder标签的 ECR 存储库上执行以下批处理操作。批处理操作支持自动化容器映像生命周期规则。-
ecr:BatchGetImage -
ecr:BatchDeleteImage
在存储库级别向标记为
LifecycleExecutionAccess: EC2 Image Builder的 ECR 存储库授予访问权限。 -
-
Amazon 资源组 — 授予 Image Builder 基于标签获取资源的权限。
-
EC2 Image Builder – 向 Image Builder 授予权限,以删除 Image Builder 映像资源。
策略示例
以下是 EC2ImageBuilderLifecycleExecutionPolicy 策略的示例。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Ec2ImagePermission", "Effect": "Allow", "Action": [ "ec2:EnableImage", "ec2:DeregisterImage", "ec2:EnableImageDeprecation", "ec2:DescribeImageAttribute", "ec2:DisableImage", "ec2:DisableImageDeprecation" ], "Resource": "arn:aws:ec2:*::image/*", "Condition": { "StringEquals": { "aws:ResourceTag/CreatedBy": "EC2 Image Builder" } } }, { "Sid": "EC2DeleteSnapshotPermission", "Effect": "Allow", "Action": "ec2:DeleteSnapshot", "Resource": "arn:aws:ec2:*::snapshot/*", "Condition": { "StringEquals": { "aws:ResourceTag/CreatedBy": "EC2 Image Builder" } } }, { "Sid": "EC2TagsPermission", "Effect": "Allow", "Action": [ "ec2:DeleteTags", "ec2:CreateTags" ], "Resource": [ "arn:aws:ec2:*::snapshot/*", "arn:aws:ec2:*::image/*" ], "Condition": { "StringEquals": { "aws:RequestTag/DeprecatedBy": "EC2 Image Builder", "aws:ResourceTag/CreatedBy": "EC2 Image Builder" }, "ForAllValues:StringEquals": { "aws:TagKeys": "DeprecatedBy" } } }, { "Sid": "ECRImagePermission", "Effect": "Allow", "Action": [ "ecr:BatchGetImage", "ecr:BatchDeleteImage" ], "Resource": "arn:aws:ecr:*:*:repository/*", "Condition": { "StringEquals": { "ecr:ResourceTag/LifecycleExecutionAccess": "EC2 Image Builder" } } }, { "Sid": "ImageBuilderEC2TagServicePermission", "Effect": "Allow", "Action": [ "ec2:DescribeImages", "tag:GetResources", "imagebuilder:DeleteImage" ], "Resource": "*" } ] }
EC2InstanceProfileForImageBuilder 策略
EC2InstanceProfileForImageBuilder 策略授予 EC2 实例与 Image Builder 协同工作所需的最低权限。但这不包括使用 Systems Manager 代理所需的权限。
权限详细信息
该策略包含以下权限:
-
CloudWatch 日志-授予创建 CloudWatch 日志并将其上传到名称以开头的任何日志组的访问权限
/aws/imagebuilder/。 -
Image Builder – 授予访问权限,以获取任何 Image Builder 组件。
-
Amazon KMS— 如果Image Builder组件是通过加密的,则有权解密该组件。 Amazon KMS
-
Amazon S3 – 授予权限,以获取存储在名称以
ec2imagebuilder-开头的 Amazon S3 存储桶中的对象。
策略示例
以下是 EC2InstanceProfileForImageBuilder 策略的示例。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "imagebuilder:GetComponent" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "kms:Decrypt" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "kms:EncryptionContextKeys": "aws:imagebuilder:arn", "aws:CalledVia": [ "imagebuilder.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": "arn:aws:s3:::ec2imagebuilder*" }, { "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:CreateLogGroup", "logs:PutLogEvents" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/imagebuilder/*" } ] }
EC2InstanceProfileForImageBuilderECRContainerBuilds 策略
当 EC2 实例使用 Image Builder 构建 Docker 映像,然后在 Amazon ECR 容器存储库中注册和存储映像时,EC2InstanceProfileForImageBuilderECRContainerBuilds 策略会授予其所需的最低权限。但这不包括使用 Systems Manager 代理所需的权限。
权限详细信息
该策略包含以下权限:
-
CloudWatch 日志-授予创建 CloudWatch 日志并将其上传到名称以开头的任何日志组的访问权限
/aws/imagebuilder/。 -
Amazon ECR – 向 Amazon ECR 授予访问权限,以获取、注册和存储容器映像,以及获取授权令牌。
-
Image Builder – 授予访问权限,以获取 Image Builder 组件或容器配方。
-
Amazon KMS— 如果Image Builder组件或容器配方是通过加密的,则授予解密该组件或容器配方的权限。 Amazon KMS
-
Amazon S3 – 授予权限,以获取存储在名称以
ec2imagebuilder-开头的 Amazon S3 存储桶中的对象。
策略示例
以下是 EC2InstanceProfileForImageBuilderECRContainerBuilds 策略的示例。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "imagebuilder:GetComponent", "imagebuilder:GetContainerRecipe", "ecr:GetAuthorizationToken", "ecr:BatchGetImage", "ecr:InitiateLayerUpload", "ecr:UploadLayerPart", "ecr:CompleteLayerUpload", "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:PutImage" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "kms:Decrypt" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "kms:EncryptionContextKeys": "aws:imagebuilder:arn", "aws:CalledVia": [ "imagebuilder.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": "arn:aws:s3:::ec2imagebuilder*" }, { "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:CreateLogGroup", "logs:PutLogEvents" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/imagebuilder/*" } ] }
Image Builder 更新 Amazon 了托管策略
本节提供有关自Image Builder Amazon 托管策略开始跟踪这些更改以来对该服务所做的更新的信息。有关此页面更改的自动警报,请订阅 Image Builder 文档历史记录页面上的 RSS 源。
| 更改 | 描述 | 日期 |
|---|---|---|
|
Image Builder 添加了包含映像生命周期管理权限的新 |
2023 年 11 月 17 日 | |
|
AWSServiceRoleForImageBuilder – 更新了现有策略 |
Image Builder 对服务角色进行了以下更改以提供 macOS 支持。
|
2023 年 8 月 28 日 |
|
AWSServiceRoleForImageBuilder – 更新了现有策略 |
Image Builder 对服务角色进行了以下更改,以允许 Image Builder 工作流程收集 AMI 和 ECR 容器映像版本的漏洞结果。新权限支持 CVE 检测和报告功能。
|
2023 年 3 月 30 日 |
|
AWSServiceRoleForImageBuilder – 更新了现有策略 |
Image Builder 对服务角色进行了以下更改:
|
2022 年 3 月 22 日 |
|
AWSServiceRoleForImageBuilder – 更新了现有策略 |
Image Builder 对服务角色进行了以下更改:
|
2022 年 2 月 21 日 |
|
AWSServiceRoleForImageBuilder – 更新了现有策略 |
Image Builder 对服务角色进行了以下更改:
|
2021 年 11 月 20 日 |
|
AWSServiceRoleForImageBuilder – 更新了现有策略 |
Image Builder 已添加新权限,以修复多个清单关联导致映像构建卡住的问题。 |
2021 年 8 月 11 日 |
|
AWSImageBuilderFullAccess – 更新了现有策略 |
Image Builder 对完全访问权限角色进行了以下更改:
|
2021 年 4 月 13 日 |
|
Image Builder 已开始跟踪更改 |
Image Builder 开始跟踪其 Amazon 托管策略的更改。 |
2021 年 4 月 02 日 |