为 EC2 Image Builder 使用托管策略 - EC2 Image Builder
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 Amazon Web Services 服务入门

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

为 EC2 Image Builder 使用托管策略

要向用户、组和角色添加权限,与自己编写策略相比,使用 Amazon 托管策略更简单。创建仅为团队提供所需权限的 IAM 客户托管策略需要时间和专业知识。要快速入门,您可以使用我们的 Amazon 托管式策略。这些策略涵盖常见使用案例,可在您的 Amazon Web Services 账户 中使用。有关 Amazon 托管式策略的更多信息,请参阅 IAM 用户指南中的Amazon 托管式策略

Amazon Web Services 负责维护和更新 Amazon 托管式策略。您无法更改 Amazon 托管式策略中的权限。服务偶尔会向 Amazon 托管式策略添加额外权限以支持新功能。此类更新会影响附加策略的所有身份(用户、组和角色)。当启动新功能或新操作可用时,服务最有可能会更新 Amazon 托管式策略。服务不会从 Amazon 托管式策略中删除权限,因此策略更新不会破坏您的现有权限。

此外,Amazon 还支持跨多种服务的工作职能的托管式策略。例如,ViewOnlyAccess Amazon 托管式策略提供对许多 Amazon Web Services 服务和资源的只读访问权限。当服务启动新功能时,Amazon 会为新操作和资源添加只读权限。有关工作职能策略的列表和说明,请参阅 IAM 用户指南中的适用于工作职能的 Amazon 托管策略

AWSImageBuilderFullAccess 策略

AWSImageBuilderFullAccess策略为其关联的角色授予对 Image Builder 资源的完全访问权限,允许该角色列出、描述、创建、更新和删除 Image Builder 资源。该策略还向相关Amazon Web Services人员授予所需的定向权限,例如,用于验证资源或在中显示账户的当前资源Amazon Web Services Management Console。

权限详细信息

此策略包含以下权限:

  • Image Builder — 授予管理访问权限,因此该角色可以列出、描述、创建、更新和删除 Image Builder 资源。

  • Amazon EC2 — 授予对 Amazon EC2 描述操作的访问权限,这些操作是验证资源存在或获取属于该账户的资源列表所必需的。

  • IAM — 授予访问权限以获取和使用名称包含 “imagebuilder” 的实例配置文件,通过iam:GetRole API 操作验证 Image Builder 服务相关角色的存在,以及创建 Image Builder 服务相关角色。

  • License Manager-有权列出资源的许可证配置或许可证。

  • Amazon S3-有权列出属于该账户的存储桶,以及名称中带有 “imagebuilder” 的映像生成器存储桶。

  • Amazon SNS — 向Amazon SNS 授予写入权限,以验证包含 “imagebuilder” 的主题的主题所有权。

策略示例

以下是AWSImageBuilderFullAccess策略的示例。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "imagebuilder:*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "sns:ListTopics" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "sns:Publish" ], "Resource": "arn:aws:sns:*:*:*imagebuilder*" }, { "Effect": "Allow", "Action": [ "license-manager:ListLicenseConfigurations", "license-manager:ListLicenseSpecificationsForResource" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:GetRole" ], "Resource": "arn:aws:iam::*:role/aws-service-role/imagebuilder.amazonaws.com/AWSServiceRoleForImageBuilder" }, { "Effect": "Allow", "Action": [ "iam:GetInstanceProfile" ], "Resource": "arn:aws:iam::*:instance-profile/*imagebuilder*" }, { "Effect": "Allow", "Action": [ "iam:ListInstanceProfiles", "iam:ListRoles" ], "Resource": "*" }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": [ "arn:aws:iam::*:instance-profile/*imagebuilder*", "arn:aws:iam::*:role/*imagebuilder*" ], "Condition": { "StringEquals": { "iam:PassedToService": "ec2.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:GetBucketLocation" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": "arn:aws:s3::*:*imagebuilder*" }, { "Action": "iam:CreateServiceLinkedRole", "Effect": "Allow", "Resource": "arn:aws:iam::*:role/aws-service-role/imagebuilder.amazonaws.com/AWSServiceRoleForImageBuilder", "Condition": { "StringLike": { "iam:AWSServiceName": "imagebuilder.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "ec2:DescribeImages", "ec2:DescribeSnapshots", "ec2:DescribeVpcs", "ec2:DescribeRegions", "ec2:DescribeVolumes", "ec2:DescribeSubnets", "ec2:DescribeKeyPairs", "ec2:DescribeSecurityGroups", "ec2:DescribeInstanceTypeOfferings", "ec2:DescribeLaunchTemplates" ], "Resource": "*" } ] }

AWSImageBuilderReadOnlyAccess 策略

AWSImageBuilderReadOnlyAccess策略提供对所有 Image Builder 资源的只读访问权限。授予了通过iam:GetRole API 操作验证 Image Builder 服务相关角色是否存在的权限。

权限详细信息

此策略包含以下权限:

  • Image Builder-授予对Image Builder 资源的只读访问权限。

  • IAM — 授予通过iam:GetRole API 操作验证 Image Builder 服务相关角色是否存在的访问权限。

策略示例

以下是AWSImageBuilderReadOnlyAccess策略的示例。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "imagebuilder:Get*", "imagebuilder:List*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:GetRole" ], "Resource": "arn:aws:iam::*:role/aws-service-role/imagebuilder.amazonaws.com/AWSServiceRoleForImageBuilder" } ] }

AWSServiceRoleForImageBuilder 策略

AWSServiceRoleForImageBuilder政策允许 Image BuilderAmazon Web Services 代表您致电。

权限详细信息

通过系统管理器创建Image Builder 服务相关角色时,此策略附加到Image Builder 服务相关角色。此策略包含以下权限:

  • CloudWatch 日志-有权创建 CloudWatch 日志并将其上传到名称以开头的任何日志组/aws/imagebuilder/

  • Amazon EC2 — 授予 Image Builder 在您的账户中创建镜像和启动 EC2 实例的权限,只要正在创建或使用的映像、实例和卷标有CreatedBy: EC2 Image BuilderCreatedBy: EC2 Fast Launch

    Image Builder 可以获取有关 Amazon EC2 映像、实例属性、实例状态、您的账户可用的实例类型、启动模板、子网和您的 Amazon EC2 资源上的标签的信息。

    Image Builder 可以更新图像设置,以启用或禁用在您的帐户中更快地启动 Windows 实例,图像标有该帐户CreatedBy: EC2 Image Builder

    此外,Image Builder 可以启动、停止和终止在您的账户中运行的实例,共享 Amazon EBS 快照,创建和更新镜像并启动模板,注销现有镜像,添加标签,以及在您通过 Ec 2 授予权限的账户之间复制镜像ImageBuilderCrossAccountDistributionAccess政策。如前所述,所有这些操作都需要使用 Image Builder 标记。

    要查看授予的特定权限,请参阅本节中的策略示例

  • IAM — I mage Builder 有权将账户中的任何角色传递给 Amazon EC2 和虚拟机导入/导出。

  • Amazon KMS— Amazon EBS 有权加密、解密或重新加密 Amazon EBS 卷。这对于确保在 Image Builder 构建映像时加密卷正常工作至关重要。

  • L@@ icense Manager — 授予 Image Builder 通过更新License Manager 规格的访问权限license-manager:UpdateLicenseSpecificationsForResource

  • Amazon SNS — 账户中的任何 Amazon SNS 主题均被授予写入权限。

  • 系统管理器 — Image Builder 有权列出 Systems Manager 命令及其调用、实例信息、库存条目和自动化执行状态。Image Builder 还可以发送自动化信号,并停止对账户中任何资源的自动化执行。

    Image Builder 能够向标记"CreatedBy": "EC2 Image Builder"为以下脚本文件的任何实例发出运行命令调用:AWS-RunPowerShellScriptAWS-RunShellScript、或AWSEC2-RunSysprep。对于名称以开头的自动化文档,Image Builder 可以在您的账户中启动 Systems Manager 自动执行ImageBuilder

    Image Builder 还可以创建或删除您账户中任何实例的状态管理器关联(只要关联文档存在)AWS-GatherSoftwareInventory,还可以在您的账户中创建 Systems Manager 服务相关角色。有关 Image Builder 服务相关角色的更多信息,请参阅为 EC2 Image Builder 使用服务相关角色

  • Amazon STS— 授予 Image BuilderImageBuilderDistributionCrossAccountRole 从您的账户代入名为 EC2 的角色的访问权限,只要该角色的信任政策允许该账户。这用于跨账户Image Builder。

策略示例

以下是AWSServiceRoleForImageBuilder策略的示例。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:RunInstances" ], "Resource": [ "arn:aws:ec2:*::image/*", "arn:aws:ec2:*::snapshot/*", "arn:aws:ec2:*:*:subnet/*", "arn:aws:ec2:*:*:network-interface/*", "arn:aws:ec2:*:*:security-group/*", "arn:aws:ec2:*:*:key-pair/*", "arn:aws:ec2:*:*:launch-template/*", "arn:aws:license-manager:*:*:license-configuration:*" ] }, { "Effect": "Allow", "Action": [ "ec2:RunInstances" ], "Resource": [ "arn:aws:ec2:*:*:volume/*", "arn:aws:ec2:*:*:instance/*" ], "Condition": { "StringEquals": { "aws:RequestTag/CreatedBy": [ "EC2 Image Builder", "EC2 Fast Launch" ] } } }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": "*", "Condition": { "StringEquals": { "iam:PassedToService": [ "ec2.amazonaws.com", "ec2.amazonaws.com.cn", "vmie.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": [ "ec2:StartInstances", "ec2:StopInstances", "ec2:TerminateInstances" ], "Resource": "*", "Condition": { "StringEquals": { "ec2:ResourceTag/CreatedBy": "EC2 Image Builder" } } }, { "Effect": "Allow", "Action": [ "ec2:CopyImage", "ec2:CreateImage", "ec2:CreateLaunchTemplate", "ec2:DeregisterImage", "ec2:DescribeExportImageTasks", "ec2:DescribeImages", "ec2:DescribeImportImageTasks", "ec2:DescribeInstanceAttribute", "ec2:DescribeInstanceStatus", "ec2:DescribeInstances", "ec2:DescribeInstanceTypeOfferings", "ec2:DescribeInstanceTypes", "ec2:DescribeSnapshots", "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:ModifyImageAttribute" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:ModifySnapshotAttribute" ], "Resource": "arn:aws:ec2:*::snapshot/*", "Condition": { "StringEquals": { "ec2:ResourceTag/CreatedBy": "EC2 Image Builder" } } }, { "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": "*", "Condition": { "StringEquals": { "ec2:CreateAction": [ "RunInstances", "CreateImage" ], "aws:RequestTag/CreatedBy": [ "EC2 Image Builder", "EC2 Fast Launch" ] } } }, { "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": [ "arn:aws:ec2:*::image/*", "arn:aws:ec2:*:*:export-image-task/*" ] }, { "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": [ "arn:aws:ec2:*::snapshot/*", "arn:aws:ec2:*:*:launch-template/*" ], "Condition": { "StringEquals": { "aws:RequestTag/CreatedBy": [ "EC2 Image Builder", "EC2 Fast Launch" ] } } }, { "Effect": "Allow", "Action": [ "ec2:EnableFastLaunch" ], "Resource": [ "arn:aws:ec2:*::image/*", "arn:aws:ec2:*:*:launch-template/*" ], "Condition": { "StringEquals": { "ec2:ResourceTag/CreatedBy": "EC2 Image Builder" } } }, { "Effect": "Allow", "Action": [ "license-manager:UpdateLicenseSpecificationsForResource" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "sns:Publish" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ssm:AddTagsToResource", "ssm:DescribeAssociationExecutions", "ssm:DescribeInstanceAssociationsStatus", "ssm:DescribeInstanceInformation", "ssm:GetAutomationExecution", "ssm:ListCommands", "ssm:ListCommandInvocations", "ssm:ListInventoryEntries", "ssm:SendAutomationSignal", "ssm:StopAutomationExecution" ], "Resource": "*" }, { "Effect": "Allow", "Action": "ssm:SendCommand", "Resource": [ "arn:aws:ssm:*:*:document/AWS-RunPowerShellScript", "arn:aws:ssm:*:*:document/AWS-RunShellScript", "arn:aws:ssm:*:*:document/AWSEC2-RunSysprep", "arn:aws:s3:::*" ] }, { "Effect": "Allow", "Action": [ "ssm:SendCommand" ], "Resource": [ "arn:aws:ec2:*:*:instance/*" ], "Condition": { "StringEquals": { "ssm:resourceTag/CreatedBy": [ "EC2 Image Builder" ] } } }, { "Effect": "Allow", "Action": "ssm:StartAutomationExecution", "Resource": "arn:aws:ssm:*:*:automation-definition/ImageBuilder*" }, { "Effect": "Allow", "Action": [ "ssm:CreateAssociation", "ssm:DeleteAssociation" ], "Resource": [ "arn:aws:ssm:*:*:document/AWS-GatherSoftwareInventory", "arn:aws:ssm:*:*:association/*", "arn:aws:ec2:*:*:instance/*" ] }, { "Effect": "Allow", "Action": [ "kms:Decrypt", "kms:Encrypt", "kms:GenerateDataKeyWithoutPlaintext", "kms:ReEncryptFrom", "kms:ReEncryptTo" ], "Resource": "*", "Condition": { "ForAllValues:StringEquals": { "kms:EncryptionContextKeys": [ "aws:ebs:id" ] }, "StringLike": { "kms:ViaService": [ "ec2.*.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": [ "kms:DescribeKey" ], "Resource": "*", "Condition": { "StringLike": { "kms:ViaService": [ "ec2.*.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": "kms:CreateGrant", "Resource": "*", "Condition": { "Bool": { "kms:GrantIsForAWSResource": true }, "StringLike": { "kms:ViaService": [ "ec2.*.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::*:role/EC2ImageBuilderDistributionCrossAccountRole" }, { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/imagebuilder/*" }, { "Effect": "Allow", "Action": [ "ec2:CreateLaunchTemplateVersion", "ec2:DescribeLaunchTemplates", "ec2:DescribeLaunchTemplateVersions", "ec2:ModifyLaunchTemplate" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:ExportImage" ], "Resource": "arn:aws:ec2:*::image/*", "Condition": { "StringEquals": { "ec2:ResourceTag/CreatedBy": "EC2 Image Builder" } } }, { "Effect": "Allow", "Action": [ "ec2:ExportImage" ], "Resource": "arn:aws:ec2:*:*:export-image-task/*" }, { "Effect": "Allow", "Action": [ "ec2:CancelExportTask" ], "Resource": "arn:aws:ec2:*:*:export-image-task/*", "Condition": { "StringEquals": { "ec2:ResourceTag/CreatedBy": "EC2 Image Builder" } } }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringEquals": { "iam:AWSServiceName": [ "ssm.amazonaws.com", "ec2fastlaunch.amazonaws.com" ] } } } ] }

Ec2ImageBuilderCrossAccountDistributionAccess 策略

Ec 2ImageBuilderCrossAccountDistributionAccess 策略为 Image Builder 授予在目标区域中跨账户分发图像的权限。此外,Image Builder 可以描述、复制标签并将其应用于账户中的任何 Amazon EC2 映像。该策略还允许通过ec2:ModifyImageAttribute API 操作修改 AMI 权限。

权限详细信息

此策略包含以下权限:

  • Amazon EC2 — Amazon EC2 有权描述、复制和修改图像的属性,以及为账户中的任何 Amazon EC2 映像创建标签。

策略示例

以下是Ec2ImageBuilderCrossAccountDistributionAccess 策略的示例。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:CreateTags", "Resource": "arn:aws:ec2:*::image/*" }, { "Effect": "Allow", "Action": [ "ec2:DescribeImages", "ec2:CopyImage", "ec2:ModifyImageAttribute" ], "Resource": "*" } ] }

EC2InstanceProfileForImageBuilder 策略

EC2InstanceProfileForImageBuilder 策略授予 EC2 实例使用Image Builder 所需的最低权限。这不包括使用Systems Manager 代理所需的权限。

权限详细信息

此策略包含以下权限:

  • CloudWatch 日志-有权创建 CloudWatch 日志并将其上传到名称以开头的任何日志组/aws/imagebuilder/

  • Image Builder-授予获取任何Image Builder 组件的访问权限。

  • Amazon KMS— 如果 Image Builder 组件是通过加密的,则授予对该组件进行解密的权限Amazon KMS。

  • Amazon S3 — 授予访问权限以获取存储在名称以开头的 Amazon S3 存储桶中的对象ec2imagebuilder-

策略示例

以下是EC2InstanceProfileForImageBuilder 策略的示例。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "imagebuilder:GetComponent" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "kms:Decrypt" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "kms:EncryptionContextKeys": "aws:imagebuilder:arn", "aws:CalledVia": [ "imagebuilder.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": "arn:aws:s3:::ec2imagebuilder*" }, { "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:CreateLogGroup", "logs:PutLogEvents" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/imagebuilder/*" } ] }

EC2InstanceProfileForImageBuilder ECRContainerBuilds 政策

使用 Image Builder 构建 Docker 镜像,然后在 AmazonInstanceProfileForImageBuilder ECR 容器存储库中注册和存储映像时,EC2 ECRContainerBuilds 策略授予了 EC2 实例所需的最低权限。这不包括使用Systems Manager 代理所需的权限。

权限详细信息

此策略包含以下权限:

  • CloudWatch 日志-有权创建 CloudWatch 日志并将其上传到名称以开头的任何日志组/aws/imagebuilder/

  • Amazon ECR — 授予亚马逊 ECR 获取、注册和存储容器镜像以及获取授权令牌的访问权限。

  • Image Builder — 授予获取Image Builder 组件或容器配方的访问权限。

  • Amazon KMS— 如果 Image Builder 组件或容器配方是通过加密的,则有权对其进行解密Amazon KMS。

  • Amazon S3 — 授予访问权限以获取存储在名称以开头的 Amazon S3 存储桶中的对象ec2imagebuilder-

策略示例

以下是 EC2InstanceProfileForImageBuilder ECRContainerBuilds 策略的示例。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "imagebuilder:GetComponent", "imagebuilder:GetContainerRecipe", "ecr:GetAuthorizationToken", "ecr:BatchGetImage", "ecr:InitiateLayerUpload", "ecr:UploadLayerPart", "ecr:CompleteLayerUpload", "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:PutImage" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "kms:Decrypt" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "kms:EncryptionContextKeys": "aws:imagebuilder:arn", "aws:CalledVia": [ "imagebuilder.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": "arn:aws:s3:::ec2imagebuilder*" }, { "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:CreateLogGroup", "logs:PutLogEvents" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/imagebuilder/*" } ] }

Image Builder 对Amazon托管策略的更新

此部分提供有关 Image Builder 的Amazon托管策略的更新的信息(自从此服务开始跟踪这些更改)。有关此页面更改的自动警报,请订阅 Image Builder 文档历史记录页面上的 RSS 源。

更改 说明 日期

AWSServiceRoleForImageBuilder – 对现有策略的更新

Image Builder 对服务角色进行了以下更改:

  • 添加了License Manager 许可证作为 ec2:RunInstance 调用的资源,允许客户使用与许可证配置相关的基础映像 AMI。

2022 年 3 月 22 日

AWSServiceRoleForImageBuilder – 对现有策略的更新

Image Builder 对服务角色进行了以下更改:

  • 添加了 EC2 EnableFastLaunch API 操作的权限,以启用和禁用 Windows 实例的更快启动。

  • 进一步缩小了 ec2:CreateTags 操作和资源标签条件的范围。

2022 年 2 月 21 日

AWSServiceRoleForImageBuilder – 对现有策略的更新

Image Builder 对服务角色进行了以下更改:

  • 添加了调用 VMIE 服务以导入 VM 并从中创建基础 AMI 的权限。

  • 缩小了 ec2:CreateTags 操作和资源标签条件的范围。

2021 年 11 月 20 日

AWSServiceRoleForImageBuilder – 对现有策略的更新

Image Builder 添加了新的权限以修复多个库存关联导致映像构建卡住的问题。

2021 年 8 月 11 日

AWSImageBuilderFullAccess – 对现有策略的更新

Image Builder 对完全访问角色进行了以下更改:

  • 添加了允许的权限ec2:DescribeInstanceTypeOffereings

  • 添加了调用权限ec2:DescribeInstanceTypeOffereings,以使 Image Builder 控制台能够准确反映账户中可用的实例类型。

2021 年 4 月 13 日

Image Builder 为其

Image Builder 为其Amazon托管策略开启了跟踪更改。

2021 年 4 月 2 日