对 EC2 Image Builder 使用托管策略 - EC2 Image Builder
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 Amazon Web Services 服务入门

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

对 EC2 Image Builder 使用托管策略

要向用户、组和角色添加权限,与自己编写策略相比,使用 Amazon 托管策略更简单。创建仅为团队提供所需权限的 IAM 客户托管策略需要时间和专业知识。要快速入门,您可以使用我们的 Amazon 托管策略。这些策略涵盖常见使用案例,可在您的 Amazon Web Services 账户 中使用。有关 Amazon 托管策略的更多信息,请参阅 IAM 用户指南中的Amazon 托管策略

Amazon Web Services维护和更新Amazon托管策略。您无法更改 Amazon 托管策略中的权限。服务偶尔会向 Amazon 托管策略添加额外权限以支持新功能。此类更新会影响附加策略的所有身份(用户、组和角色)。当启动新功能或新操作可用时,服务最有可能会更新 Amazon 托管策略。服务不会从 Amazon 托管策略中删除权限,因此策略更新不会破坏您的现有权限。

此外,Amazon 还支持跨多种服务的工作职能的托管策略。例如,ViewOnly访问 Amazon托管策略提供对许多访问权限Amazon服务和资源。当服务启动新功能时,Amazon会为新操作和资源添加只读权限。有关工作职能策略的列表和说明,请参阅 IAM 用户指南中的适用于工作职能的 Amazon 托管策略

AWSImageBuilderFullAccess 策略

这些区域有:AWSImageBuilderFullAccess策略授予对其附加角色的 Image Builder 资源的完全访问权限,允许角色列出、描述、创建、更新和删除 Image Builder 资源。此策略还向相关授予针对性权限Amazon例如,用于验证资源或在Amazon Web Services Management Console.

权限详细信息

此策略包含以下权限:

  • 映像生成器— 授予管理访问权限,以便角色可以列出、描述、创建、更新和删除 Image Builder 资源。

  • Amazon EC2— 授予 Amazon EC2 访问权限:验证资源存在或获取属于该账户的资源列表所需的描述操作。

  • IAM— 授予访问权限以获取和使用名称包含 “imagebuilder” 的实例配置文件,以便通过iam:GetRoleAPI 操作,以及创建 Image Builder 服务相关角色。

  • License Manager— 授予了列出资源的许可证配置或许可证的访问权限。

  • Amazon S3— 授予访问权限,可以列出属于该账户的存储桶,以及名称中带有 “imagebuilder” 的 Image Builder 存储桶。

  • Amazon SNS— 向 Amazon SNS 授予写入权限,以验证包含 “imagebuilder” 的主题的主题所有权。

策略示例

以下是一个示例AWSImageBuilderFullAccess政策。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "imagebuilder:*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "sns:ListTopics" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "sns:Publish" ], "Resource": "arn:aws:sns:*:*:*imagebuilder*" }, { "Effect": "Allow", "Action": [ "license-manager:ListLicenseConfigurations", "license-manager:ListLicenseSpecificationsForResource" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:GetRole" ], "Resource": "arn:aws:iam::*:role/aws-service-role/imagebuilder.amazonaws.com/AWSServiceRoleForImageBuilder" }, { "Effect": "Allow", "Action": [ "iam:GetInstanceProfile" ], "Resource": "arn:aws:iam::*:instance-profile/*imagebuilder*" }, { "Effect": "Allow", "Action": [ "iam:ListInstanceProfiles", "iam:ListRoles" ], "Resource": "*" }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": [ "arn:aws:iam::*:instance-profile/*imagebuilder*", "arn:aws:iam::*:role/*imagebuilder*" ], "Condition": { "StringEquals": { "iam:PassedToService": "ec2.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:GetBucketLocation" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": "arn:aws:s3::*:*imagebuilder*" }, { "Action": "iam:CreateServiceLinkedRole", "Effect": "Allow", "Resource": "arn:aws:iam::*:role/aws-service-role/imagebuilder.amazonaws.com/AWSServiceRoleForImageBuilder", "Condition": { "StringLike": { "iam:AWSServiceName": "imagebuilder.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "ec2:DescribeImages", "ec2:DescribeSnapshots", "ec2:DescribeVpcs", "ec2:DescribeRegions", "ec2:DescribeVolumes", "ec2:DescribeSubnets", "ec2:DescribeKeyPairs", "ec2:DescribeSecurityGroups", "ec2:DescribeInstanceTypeOfferings", "ec2:DescribeLaunchTemplates" ], "Resource": "*" } ] }

AWSImageBuilderReadOnlyAccess 策略

这些区域有:AWSImageBuilderReadOnlyAccess策略提供对所有 Image Builder 资源的只读访问权 授予权限以验证 Image Builder 服务相关角色是否存在通过iam:GetRoleAPI 操作。

权限详细信息

此策略包含以下权限:

  • 映像生成器— 授予对 Image Builder 资源的只读访问权限。

  • IAM— 授予访问权限以验证 Image Builder 服务相关角色的存在,通过iam:GetRoleAPI 操作。

策略示例

以下是一个示例AWSImageBuilderReadOnlyAccess政策。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "imagebuilder:Get*", "imagebuilder:List*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:GetRole" ], "Resource": "arn:aws:iam::*:role/aws-service-role/imagebuilder.amazonaws.com/AWSServiceRoleForImageBuilder" } ] }

AWSServiceRoleForImageBuilder 策略

这些区域有:AWSServiceRoleForImageBuilder策略允许 Image Builder 调用Amazon代表您提供服务。

权限详细信息

映像生成器服务相关角色时,此策略附加到映像生成器服务相关角色(Systems Manager)创建角色 此策略包含以下权限:

  • CloudWatch日志— 授予创建和上传的访问权限CloudWatch日志到名称以开头的任何日志组/aws/imagebuilder/.

  • Amazon EC2— 允许 Image Builder 使用相关快照、卷、网络接口、安全组和密钥对在您的账户中创建映像和启动 EC2 实例的访问权限,只要使用正在创建或使用的映像、实例和卷标记为正在创建或使用的卷Created By: EC2 Image Builder要么Created By: EC2 Fast Launch.

    Image Builder 可以获取有关 Amazon EC2 映像、实例属性、实例状态、账户可用的实例类型、启动模板、子网和 Amazon EC2 资源上的标签的信息。

    Image Builder 可以更新映像设置以启用或禁用更快启动您的账户中的 Windows 实例,其中标记了映像Created By: EC2 Image Builder.

    此外,Image Builder 还可以启动、停止和终止账户中运行的实例、共享 Amazon EBS 快照、创建和更新映像以及启动模板、取消注册现有映像、添加标签以及在您已通过授予权限的账户之间复制映像EC2ImageBuilderCrossAccountDistributionAccess政策。如前所述,所有这些操作都需要对 Image Builder 进行标记。

    要查看授予的特定权限,请参阅策略示例本节中。

  • IAM— 授予 Image Builder 访问权限,以便将您账户中的任何角色传递给 Amazon EC2 和虚拟机导入/导出。

  • Amazon KMS— 授予亚马逊 EBS 加密、解密或重新加密 Amazon EBS 卷的访问权限。这对于确保在映像生成器构建映像时加密卷正常工作至关重要。

  • License Manager— 授予 Image Builder 的访问权限,以便通过以下方式更新 License Managerlicense-manager:UpdateLicenseSpecificationsForResource.

  • Amazon SNS— 授予账户中任何 Amazon SNS 主题的写入权限。

  • Systems Manager— 授予 Image Builder 的访问权限,以列出 Systems Manager 命令及其调用、实例信息、清单条目和自动化执行状态。Image Builder 还可以发送自动化信号,并停止对账户中任何资源的自动执行。

    Image Builder 能够向标记的任何实例发出运行命令调用"Created By": "EC2 Image Builder"对于以下脚本文件:AWS-RunPowerShellScriptAWS-RunShellScript,或者AWSEC2-RunSysprep. Image Builder 能够在您的帐户中为名称开头的自动化文档启动 Systems Manager 自动化执行ImageBuilder.

    只要关联文档是,Image Builder 还可以为您账户中的任何实例创建或删除状态管理器关联AWS-GatherSoftwareInventory,并在您的账户中创建 Systems Manager 服务相关角色。有关 Image Builder 服务相关角色的更多信息,请参阅EC2 Image Builder 使用服务相关角色.

  • Amazon STS— 授予 Image Builder 的访问权限,以承担名为EC2ImageBuilderDistributionCrossAccountRole从您的账户到角色的信托策略允许的任何账户。这用于跨账户映像分发。

策略示例

以下是一个示例AWSServiceRoleForImageBuilder政策。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:RunInstances" ], "Resource": [ "arn:aws:ec2:*::image/*", "arn:aws:ec2:*::snapshot/*", "arn:aws:ec2:*:*:subnet/*", "arn:aws:ec2:*:*:network-interface/*", "arn:aws:ec2:*:*:security-group/*", "arn:aws:ec2:*:*:key-pair/*", "arn:aws:ec2:*:*:launch-template/*" ] }, { "Effect": "Allow", "Action": [ "ec2:RunInstances" ], "Resource": [ "arn:aws:ec2:*:*:volume/*", "arn:aws:ec2:*:*:instance/*" ], "Condition": { "StringEquals": { "aws:RequestTag/CreatedBy": [ "EC2 Image Builder", "EC2 Fast Launch" ] } } }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": "*", "Condition": { "StringEquals": { "iam:PassedToService": [ "ec2.amazonaws.com", "ec2.amazonaws.com.cn", "vmie.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": [ "ec2:StartInstances", "ec2:StopInstances", "ec2:TerminateInstances" ], "Resource": "*", "Condition": { "StringEquals": { "ec2:ResourceTag/CreatedBy": "EC2 Image Builder" } } }, { "Effect": "Allow", "Action": [ "ec2:CopyImage", "ec2:CreateImage", "ec2:CreateLaunchTemplate", "ec2:DeregisterImage", "ec2:DescribeExportImageTasks", "ec2:DescribeImages", "ec2:DescribeImportImageTasks", "ec2:DescribeInstanceAttribute", "ec2:DescribeInstanceStatus", "ec2:DescribeInstances", "ec2:DescribeInstanceTypeOfferings", "ec2:DescribeInstanceTypes", "ec2:DescribeSnapshots", "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:ModifyImageAttribute" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:ModifySnapshotAttribute" ], "Resource": "arn:aws:ec2:*::snapshot/*", "Condition": { "StringEquals": { "ec2:ResourceTag/CreatedBy": "EC2 Image Builder" } } }, { "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": "*", "Condition": { "StringEquals": { "ec2:CreateAction": [ "RunInstances", "CreateImage" ], "aws:RequestTag/CreatedBy": [ "EC2 Image Builder", "EC2 Fast Launch" ] } } }, { "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": [ "arn:aws:ec2:*::image/*", "arn:aws:ec2:*:*:export-image-task/*" ] }, { "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": [ "arn:aws:ec2:*::snapshot/*", "arn:aws:ec2:*:*:launch-template/*" ], "Condition": { "StringEquals": { "aws:RequestTag/CreatedBy": [ "EC2 Image Builder", "EC2 Fast Launch" ] } } }, { "Effect": "Allow", "Action": [ "ec2:EnableFastLaunch" ], "Resource": [ "arn:aws:ec2:*::image/*", "arn:aws:ec2:*:*:launch-template/*" ], "Condition": { "StringEquals": { "ec2:ResourceTag/CreatedBy": "EC2 Image Builder" } } }, { "Effect": "Allow", "Action": [ "license-manager:UpdateLicenseSpecificationsForResource" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "sns:Publish" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ssm:AddTagsToResource", "ssm:DescribeAssociationExecutions", "ssm:DescribeInstanceAssociationsStatus", "ssm:DescribeInstanceInformation", "ssm:GetAutomationExecution", "ssm:ListCommands", "ssm:ListCommandInvocations", "ssm:ListInventoryEntries", "ssm:SendAutomationSignal", "ssm:StopAutomationExecution" ], "Resource": "*" }, { "Effect": "Allow", "Action": "ssm:SendCommand", "Resource": [ "arn:aws:ssm:*:*:document/AWS-RunPowerShellScript", "arn:aws:ssm:*:*:document/AWS-RunShellScript", "arn:aws:ssm:*:*:document/AWSEC2-RunSysprep", "arn:aws:s3:::*" ] }, { "Effect": "Allow", "Action": [ "ssm:SendCommand" ], "Resource": [ "arn:aws:ec2:*:*:instance/*" ], "Condition": { "StringEquals": { "ssm:resourceTag/CreatedBy": [ "EC2 Image Builder" ] } } }, { "Effect": "Allow", "Action": "ssm:StartAutomationExecution", "Resource": "arn:aws:ssm:*:*:automation-definition/ImageBuilder*" }, { "Effect": "Allow", "Action": [ "ssm:CreateAssociation", "ssm:DeleteAssociation" ], "Resource": [ "arn:aws:ssm:*:*:document/AWS-GatherSoftwareInventory", "arn:aws:ssm:*:*:association/*", "arn:aws:ec2:*:*:instance/*" ] }, { "Effect": "Allow", "Action": [ "kms:Decrypt", "kms:Encrypt", "kms:GenerateDataKeyWithoutPlaintext", "kms:ReEncryptFrom", "kms:ReEncryptTo" ], "Resource": "*", "Condition": { "ForAllValues:StringEquals": { "kms:EncryptionContextKeys": [ "aws:ebs:id" ] }, "StringLike": { "kms:ViaService": [ "ec2.*.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": [ "kms:DescribeKey" ], "Resource": "*", "Condition": { "StringLike": { "kms:ViaService": [ "ec2.*.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": "kms:CreateGrant", "Resource": "*", "Condition": { "Bool": { "kms:GrantIsForAWSResource": true }, "StringLike": { "kms:ViaService": [ "ec2.*.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::*:role/EC2ImageBuilderDistributionCrossAccountRole" }, { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/imagebuilder/*" }, { "Effect": "Allow", "Action": [ "ec2:CreateLaunchTemplateVersion", "ec2:DescribeLaunchTemplates", "ec2:DescribeLaunchTemplateVersions", "ec2:ModifyLaunchTemplate" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:ExportImage" ], "Resource": "arn:aws:ec2:*::image/*", "Condition": { "StringEquals": { "ec2:ResourceTag/CreatedBy": "EC2 Image Builder" } } }, { "Effect": "Allow", "Action": [ "ec2:ExportImage" ], "Resource": "arn:aws:ec2:*:*:export-image-task/*" }, { "Effect": "Allow", "Action": [ "ec2:CancelExportTask" ], "Resource": "arn:aws:ec2:*:*:export-image-task/*", "Condition": { "StringEquals": { "ec2:ResourceTag/CreatedBy": "EC2 Image Builder" } } }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringEquals": { "iam:AWSServiceName": [ "ssm.amazonaws.com", "ec2fastlaunch.amazonaws.com" ] } } } ] }

EC2ImageBuilderCrossAccountDistributionAccess政策

这些区域有:EC2ImageBuilderCrossAccountDistributionAccess策略授予 Image Builder 在目标区域中跨账户分发图像的权限。此外,Image Builder 还可以对账户中的任何 Amazon EC2 映像进行描述、复制和应用标签。该策略还授予了通过修改 AMI 权限的能力ec2:ModifyImageAttributeAPI 操作。

权限详细信息

此策略包含以下权限:

  • Amazon EC2— 授予 Amazon EC2 的访问权限,以描述、复制和修改映像的属性,以及为账户中的任何 Amazon EC2 映像创建标签。

策略示例

以下是 Ec2 的示例ImageBuilderCrossAccountDistributionAccess政策。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:CreateTags", "Resource": "arn:aws:ec2:*::image/*" }, { "Effect": "Allow", "Action": [ "ec2:DescribeImages", "ec2:CopyImage", "ec2:ModifyImageAttribute" ], "Resource": "*" } ] }

EC2InstanceProfileForImage生成器策略

这些区域有:EC2InstanceProfileForImage生成器策略授予 EC2 实例使用 Image Builder 所需的最低权限。这不包括使用系统管理器代理所需的权限。

权限详细信息

此策略包含以下权限:

  • CloudWatch日志— 授予创建和上传的访问权限CloudWatch日志到名称以开头的任何日志组/aws/imagebuilder/.

  • 映像生成器— 授予访问权限以获取任何 Image Builder 组件。

  • Amazon KMS— 授予对 Image Builder 组件进行解密的访问权限(如果它是通过加密的)Amazon KMS.

  • Amazon S3— 授予访问权限以获取存储在 Amazon S3 存储桶中的对象,名称以开头的对象ec2imagebuilder-.

策略示例

以下是 EC2 的示例InstanceProfileForImage生成器策略。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "imagebuilder:GetComponent" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "kms:Decrypt" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "kms:EncryptionContextKeys": "aws:imagebuilder:arn", "aws:CalledVia": [ "imagebuilder.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": "arn:aws:s3:::ec2imagebuilder*" }, { "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:CreateLogGroup", "logs:PutLogEvents" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/imagebuilder/*" } ] }

EC2InstanceProfileForImageBuilddeRCRContainerBuilds政策

这些区域有:EC2InstanceProfileForImageBuilddeRCRContainerBuilds策略授予 EC2 实例所需的最低权限,当使用 Image Builder 构建 Docker 映像,然后在 Amazon ECR 容器存储库中注册映像并存储这些映像时。这不包括使用系统管理器代理所需的权限。

权限详细信息

此策略包含以下权限:

  • CloudWatch日志— 授予创建和上传的访问权限CloudWatch日志到名称以开头的任何日志组/aws/imagebuilder/.

  • Amazon ECR— 授予 Amazon ECR 获取、注册和存储容器映像以及获取授权令牌的访问权限。

  • 映像生成器— 授予访问权限以获取 Image Builder 组件或容器配方。

  • Amazon KMS— 授予对 Image Builder 组件或容器配方进行解密的访问权限(如果它是通过加密的)Amazon KMS.

  • Amazon S3— 授予访问权限以获取存储在 Amazon S3 存储桶中的对象,名称以开头的对象ec2imagebuilder-.

策略示例

以下是 EC2 的示例InstanceProfileForImageBuilddeRCRContainerBuilds政策。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "imagebuilder:GetComponent", "imagebuilder:GetContainerRecipe", "ecr:GetAuthorizationToken", "ecr:BatchGetImage", "ecr:InitiateLayerUpload", "ecr:UploadLayerPart", "ecr:CompleteLayerUpload", "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:PutImage" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "kms:Decrypt" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "kms:EncryptionContextKeys": "aws:imagebuilder:arn", "aws:CalledVia": [ "imagebuilder.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": "arn:aws:s3:::ec2imagebuilder*" }, { "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:CreateLogGroup", "logs:PutLogEvents" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/imagebuilder/*" } ] }

Image Builder 更新到Amazon托管策略

本节提供有关以下更新的信息AmazonImage Builder 的托管策略(从该服务开始跟踪这些更改起)。要获得有关此页面更改的自动提示,请订阅 Image Builder 上的 RSS 源文档历史记录页.

更改 描述 日期

AWSServiceRoleForImageBuilder – 对现有策略的更新

Image Builder 对服务角色进行了以下更改:

  • 添加了 EC2 的权限EnableFast启动 API 操作,以启用和禁用 Windows 实例的快速启动。

  • 缩小了 EC2 的范围更多:CreateTags操作和资源标签条件。

2022 年 2 月 21 日

AWSServiceRoleForImageBuilder – 对现有策略的更新

Image Builder 对服务角色进行了以下更改:

  • 添加了调用 VMIE 服务以导入虚拟机并从中创建基本 AMI 的权限。

  • 收紧了 ec2 的范围:CreateTags操作和资源标签条件。

2021 年 11 月 20 日

AWSServiceRoleForImageBuilder – 对现有策略的更新

Image Builder 添加了新的权限来修复多个库存关联导致映像构建卡住的问题。

2021 年 8 月 11 日

AWSImageBuilderFullAccess – 对现有策略的更新

Image Builder 对完全访问角色进行了以下更改:

  • 添加了允许的权限ec2:DescribeInstanceTypeOffereings.

  • 添加了呼叫权限ec2:DescribeInstanceTypeOffereings以使 Image Builder 控制台能够准确反映账户中可用的实例类型。

2021 年 4 月 13 日

Image Builder 开始跟踪更改

Image Builder 开始跟踪其更改Amazon托管策略。

2021 年 4 月 2 日