为 EC2 Image Builder - EC2 Image Builder
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 中国的 Amazon Web Services 服务入门 (PDF)

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

为 EC2 Image Builder

要向用户、组和角色添加权限,与自己编写策略相比,使用 Amazon 托管策略更简单。创建仅为团队提供所需权限的 IAM 客户托管策略需要时间和专业知识。要快速入门,您可以使用我们的 Amazon 托管式策略。这些策略涵盖常见使用案例,可在您的 Amazon Web Services 账户 中使用。有关 Amazon 托管式策略的更多信息,请参阅 IAM 用户指南中的Amazon 托管式策略

Amazon Web Services 负责维护和更新 Amazon 托管式策略。您无法更改 Amazon 托管式策略中的权限。服务偶尔会向 Amazon 托管式策略添加额外权限以支持新功能。此类更新会影响附加策略的所有身份(用户、组和角色)。当启动新功能或新操作可用时,服务最有可能会更新 Amazon 托管式策略。服务不会从 Amazon 托管式策略中删除权限,因此策略更新不会破坏您的现有权限。

此外,Amazon 还支持跨多种服务的工作职能的托管式策略。例如,ViewOnlyAccess Amazon 托管式策略提供对许多 Amazon Web Services 服务和资源的只读访问权限。当服务启动新功能时,Amazon 会为新操作和资源添加只读权限。有关工作职能策略的列表和说明,请参阅 IAM 用户指南中的适用于工作职能的 Amazon 托管策略

AWSImageBuilderFullAccess 策略

AWSImageBuilderFullAccess策略授予其所关联角色对 Image Builder 资源的完全访问权限,允许该角色列出、描述、创建、更新和删除 Image Builder 资源。该策略还向相关Amazon Web Services人员授予所需的有针对性的权限,例如,验证资源或在中显示账户的当前资源Amazon Web Services Management Console。

权限详细信息

此策略包含以下权限:

  • Image Builder-授予管理访问权限,以便角色可以列出、描述、创建、更新和删除 Image Builder 资源。

  • Amazon EC2 — 为验证资源存在或获取属于该账户的资源列表所需的 Amazon EC2 Describe 操作授予访问权限。

  • IAM — 授予访问权限,可以获取和使用名称包含 “imagebuilder” 的实例配置文件,通过iam:GetRole API 操作验证 Image Builder 服务相关角色的存在,以及创建 Image Builder 服务相关角色。

  • L@@ icense Manager-授予列出资源许可证配置或许可证的访问权限。

  • Amazon S3 — 有权列出属于该账户的存储桶,以及名称中带有 “imagebuilder” 的 Image Builder 存储桶。

  • Amazon SNS — 向Amazon SNS 授予写入权限,以验证包含 “imagebuilder” 的主题的主题所有权。

策略示

以下是该AWSImageBuilderFullAccess政策的示例。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "imagebuilder:*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "sns:ListTopics" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "sns:Publish" ], "Resource": "arn:aws:sns:*:*:*imagebuilder*" }, { "Effect": "Allow", "Action": [ "license-manager:ListLicenseConfigurations", "license-manager:ListLicenseSpecificationsForResource" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:GetRole" ], "Resource": "arn:aws:iam::*:role/aws-service-role/imagebuilder.amazonaws.com/AWSServiceRoleForImageBuilder" }, { "Effect": "Allow", "Action": [ "iam:GetInstanceProfile" ], "Resource": "arn:aws:iam::*:instance-profile/*imagebuilder*" }, { "Effect": "Allow", "Action": [ "iam:ListInstanceProfiles", "iam:ListRoles" ], "Resource": "*" }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": [ "arn:aws:iam::*:instance-profile/*imagebuilder*", "arn:aws:iam::*:role/*imagebuilder*" ], "Condition": { "StringEquals": { "iam:PassedToService": "ec2.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:GetBucketLocation" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": "arn:aws:s3::*:*imagebuilder*" }, { "Action": "iam:CreateServiceLinkedRole", "Effect": "Allow", "Resource": "arn:aws:iam::*:role/aws-service-role/imagebuilder.amazonaws.com/AWSServiceRoleForImageBuilder", "Condition": { "StringLike": { "iam:AWSServiceName": "imagebuilder.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "ec2:DescribeImages", "ec2:DescribeSnapshots", "ec2:DescribeVpcs", "ec2:DescribeRegions", "ec2:DescribeVolumes", "ec2:DescribeSubnets", "ec2:DescribeKeyPairs", "ec2:DescribeSecurityGroups", "ec2:DescribeInstanceTypeOfferings", "ec2:DescribeLaunchTemplates" ], "Resource": "*" } ] }

AWSImageBuilderReadOnlyAccess 策略

AWSImageBuilderReadOnlyAccess策略提供对所有 Image Builder 资源的只读访问权限。通过iam:GetRole API 操作授予权限以验证 Image Builder 服务关联角色是否存在。

权限详细信息

此策略包含以下权限:

  • Image Builder-授予对Image Builder 资源的只读访问权限。

  • IAM — 授予访问权限以通过iam:GetRole API 操作验证 Image Builder 服务相关角色的存在。

策略示

以下是该AWSImageBuilderReadOnlyAccess政策的示例。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "imagebuilder:Get*", "imagebuilder:List*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:GetRole" ], "Resource": "arn:aws:iam::*:role/aws-service-role/imagebuilder.amazonaws.com/AWSServiceRoleForImageBuilder" } ] }

AWSServiceRoleForImageBuilder 策略

AWSServiceRoleForImageBuilder政策允许 Image BuilderAmazon Web Services 代表您进行调用。

权限详细信息

Image Builder 服务相关角色是通过 Systemage Builder 服务相关角色创建的。要查看已授予的特定权限,请参阅本节中的策略示例。有关 Image Builder 服务相关角色的更多信息,请参阅为 EC2 Image Builder 使用服务相关角色

该策略包含以下权限:

  • CloudWatch 日志-授予创建 CloudWatch 日志并将其上传到名称以开头的任何日志组的权限/aws/imagebuilder/

  • Amazon EC2 — 只要正在创建或使用的镜像、实例和卷标有或标记,Image Builder 就可以根据需要使用相关的快照、卷、网络接口、安全组和密钥对在您的账户中创建映像和启动 EC2 实例CreatedBy: EC2 Fast LaunchCreatedBy: EC2 Image Builder

    Image Builder 可以获取有关 Amazon EC2 镜像、实例属性、实例状态、您的账户可用的实例类型、启动模板、子网和您的 Amazon EC2 资源标签的信息。

    Image Builder 可以更新图像设置,以在您的账户中启用或禁用更快地启动 Windows 实例,其中图像标有标签CreatedBy: EC2 Image Builder

    此外,Image Builder 可以启动、停止和终止在您的账户中运行的实例,共享 Amazon EBS 快照,创建和更新映像并启动模板,取消注册现有映像,添加标签,并在您通过Ec2ImageBuilderCrossAccountDistributionAccess策略授予权限的账户之间复制映像。如前所述,所有这些操作都需要使用 Image Builder 标记。

  • Amazon ECR — 授予 Image Builder 访问权限,允许其在需要时创建存储库以进行容器映像漏洞扫描,并标记其创建的资源以限制其操作范围。还授予 Image Builder 在拍摄漏洞快照后删除其为扫描创建的容器映像的访问权限。

  • EventBridge— 已授予 Image Builder 创建和管理 EventBridge 规则的访问权限。

  • IAM — I mage Builder 被授予访问权限,可将您账户中的任何角色传递给 Amazon EC2 和 VM Import /导出。

  • Amazon Inspector — Image Builder 被授予访问权限,以确定 Amazon Inspector 何时完成构建实例扫描,并收集配置为允许扫描的图像的结果。

  • Amazon KMS— 授予亚马逊 EBS 加密、解密或重新加密亚马逊 EBS 卷的访问权限。这对于确保在 Image Builder 构建映像时加密卷正常运行至关重要。

  • L@@ icense Manager-授予 Image Builder 访问权限,可通过以下方式更新License Manager 规范license-manager:UpdateLicenseSpecificationsForResource

  • Amazon SNS — 对账户中的任何 Amazon SNS 主题授予写入权限。

  • Systems Manag er — 授予 Image Builder 列出Systems Manager 器命令及其调用、实例信息、清单条目和自动化执行状态的访问权限。Image Builder 还可以发送自动化信号,并停止对账户中的任何资源执行自动执行。

    Image Builder 能够向标"CreatedBy": "EC2 Image Builder"有以下脚本文件的任何实例发出运行命令调用:AWS-RunPowerShellScriptAWS-RunShellScript、或AWSEC2-RunSysprep。Image Builder 能够在您的账户中开始对名称以开头的自动化文档执行 Systems Manager 自动执行ImageBuilder

    Image Builder 还能够为账户中的任何实例创建或删除 State Manager 关联,只要关联文档是AWS-GatherSoftwareInventory,也可以在您的账户中创建 Systems Manager 服务关联角色。

  • Amazon STS— 向 Image Builder 授予访问权限,允许其代入您的账户EC2ImageBuilderDistributionCrossAccountRole中指定的角色访问该角色的信任策略允许的任何账户。这用于跨账户策略示示示示意

策略示

以下是该AWSServiceRoleForImageBuilder政策的示例。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:RunInstances" ], "Resource": [ "arn:aws:ec2:*::image/*", "arn:aws:ec2:*::snapshot/*", "arn:aws:ec2:*:*:subnet/*", "arn:aws:ec2:*:*:network-interface/*", "arn:aws:ec2:*:*:security-group/*", "arn:aws:ec2:*:*:key-pair/*", "arn:aws:ec2:*:*:launch-template/*", "arn:aws:license-manager:*:*:license-configuration:*" ] }, { "Effect": "Allow", "Action": [ "ec2:RunInstances" ], "Resource": [ "arn:aws:ec2:*:*:volume/*", "arn:aws:ec2:*:*:instance/*" ], "Condition": { "StringEquals": { "aws:RequestTag/CreatedBy": [ "EC2 Image Builder", "EC2 Fast Launch" ] } } }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": "*", "Condition": { "StringEquals": { "iam:PassedToService": [ "ec2.amazonaws.com", "ec2.amazonaws.com.cn", "vmie.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": [ "ec2:StopInstances", "ec2:StartInstances", "ec2:TerminateInstances" ], "Resource": "*", "Condition": { "StringEquals": { "ec2:ResourceTag/CreatedBy": "EC2 Image Builder" } } }, { "Effect": "Allow", "Action": [ "ec2:CopyImage", "ec2:CreateImage", "ec2:CreateLaunchTemplate", "ec2:DeregisterImage", "ec2:DescribeImages", "ec2:DescribeInstanceAttribute", "ec2:DescribeInstanceStatus", "ec2:DescribeInstances", "ec2:DescribeInstanceTypeOfferings", "ec2:DescribeInstanceTypes", "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:ModifyImageAttribute", "ec2:DescribeImportImageTasks", "ec2:DescribeExportImageTasks", "ec2:DescribeSnapshots" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:ModifySnapshotAttribute" ], "Resource": "arn:aws:ec2:*::snapshot/*", "Condition": { "StringEquals": { "ec2:ResourceTag/CreatedBy": "EC2 Image Builder" } } }, { "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": "*", "Condition": { "StringEquals": { "ec2:CreateAction": [ "RunInstances", "CreateImage" ], "aws:RequestTag/CreatedBy": [ "EC2 Image Builder", "EC2 Fast Launch" ] } } }, { "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": [ "arn:aws:ec2:*::image/*", "arn:aws:ec2:*:*:export-image-task/*" ] }, { "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": [ "arn:aws:ec2:*::snapshot/*", "arn:aws:ec2:*:*:launch-template/*" ], "Condition": { "StringEquals": { "aws:RequestTag/CreatedBy": [ "EC2 Image Builder", "EC2 Fast Launch" ] } } }, { "Effect": "Allow", "Action": [ "license-manager:UpdateLicenseSpecificationsForResource" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "sns:Publish" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ssm:ListCommands", "ssm:ListCommandInvocations", "ssm:AddTagsToResource", "ssm:DescribeInstanceInformation", "ssm:GetAutomationExecution", "ssm:StopAutomationExecution", "ssm:ListInventoryEntries", "ssm:SendAutomationSignal", "ssm:DescribeInstanceAssociationsStatus", "ssm:DescribeAssociationExecutions" ], "Resource": "*" }, { "Effect": "Allow", "Action": "ssm:SendCommand", "Resource": [ "arn:aws:ssm:*:*:document/AWS-RunPowerShellScript", "arn:aws:ssm:*:*:document/AWS-RunShellScript", "arn:aws:ssm:*:*:document/AWSEC2-RunSysprep", "arn:aws:s3:::*" ] }, { "Effect": "Allow", "Action": [ "ssm:SendCommand" ], "Resource": [ "arn:aws:ec2:*:*:instance/*" ], "Condition": { "StringEquals": { "ssm:resourceTag/CreatedBy": [ "EC2 Image Builder" ] } } }, { "Effect": "Allow", "Action": "ssm:StartAutomationExecution", "Resource": "arn:aws:ssm:*:*:automation-definition/ImageBuilder*" }, { "Effect": "Allow", "Action": [ "ssm:CreateAssociation", "ssm:DeleteAssociation" ], "Resource": [ "arn:aws:ssm:*:*:document/AWS-GatherSoftwareInventory", "arn:aws:ssm:*:*:association/*", "arn:aws:ec2:*:*:instance/*" ] }, { "Effect": "Allow", "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncryptFrom", "kms:ReEncryptTo", "kms:GenerateDataKeyWithoutPlaintext" ], "Resource": "*", "Condition": { "ForAllValues:StringEquals": { "kms:EncryptionContextKeys": [ "aws:ebs:id" ] }, "StringLike": { "kms:ViaService": [ "ec2.*.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": [ "kms:DescribeKey" ], "Resource": "*", "Condition": { "StringLike": { "kms:ViaService": [ "ec2.*.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": "kms:CreateGrant", "Resource": "*", "Condition": { "Bool": { "kms:GrantIsForAWSResource": true }, "StringLike": { "kms:ViaService": [ "ec2.*.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::*:role/EC2ImageBuilderDistributionCrossAccountRole" }, { "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:CreateLogGroup", "logs:PutLogEvents" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/imagebuilder/*" }, { "Effect": "Allow", "Action": [ "ec2:CreateLaunchTemplateVersion", "ec2:DescribeLaunchTemplates", "ec2:ModifyLaunchTemplate", "ec2:DescribeLaunchTemplateVersions" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:ExportImage" ], "Resource": "arn:aws:ec2:*::image/*", "Condition": { "StringEquals": { "ec2:ResourceTag/CreatedBy": "EC2 Image Builder" } } }, { "Effect": "Allow", "Action": [ "ec2:ExportImage" ], "Resource": "arn:aws:ec2:*:*:export-image-task/*" }, { "Effect": "Allow", "Action": [ "ec2:CancelExportTask" ], "Resource": "arn:aws:ec2:*:*:export-image-task/*", "Condition": { "StringEquals": { "ec2:ResourceTag/CreatedBy": "EC2 Image Builder" } } }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringEquals": { "iam:AWSServiceName": [ "ssm.amazonaws.com", "ec2fastlaunch.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": [ "ec2:EnableFastLaunch" ], "Resource": [ "arn:aws:ec2:*::image/*", "arn:aws:ec2:*:*:launch-template/*" ], "Condition": { "StringEquals": { "ec2:ResourceTag/CreatedBy": "EC2 Image Builder" } } }, { "Effect": "Allow", "Action": [ "inspector2:ListCoverage", "inspector2:ListFindings" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ecr:CreateRepository" ], "Resource": "*", "Condition": { "StringEquals": { "aws:RequestTag/CreatedBy": "EC2 Image Builder" } } }, { "Effect": "Allow", "Action": [ "ecr:TagResource" ], "Resource": "arn:aws:ecr:*:*:repository/image-builder-*", "Condition": { "StringEquals": { "aws:RequestTag/CreatedBy": "EC2 Image Builder" } } }, { "Effect": "Allow", "Action": [ "ecr:BatchDeleteImage" ], "Resource": "arn:aws:ecr:*:*:repository/image-builder-*", "Condition": { "StringEquals": { "ecr:ResourceTag/CreatedBy": "EC2 Image Builder" } } }, { "Effect": "Allow", "Action": [ "events:DeleteRule", "events:DescribeRule", "events:PutRule", "events:PutTargets", "events:RemoveTargets" ], "Resource": [ "arn:aws:events:*:*:rule/ImageBuilder-*" ] } ] }

Ec2ImageBuilderCrossAccountDistributionAccess 策略

Ec2ImageBuilderCrossAccountDistributionAccess政策授予 Image Builder 在目标区域内跨账户分发图像的权限。此外,Image Builder 可以描述、复制标签并将其应用于账户中的任何 Amazon EC2 映像。该策略还允许通过ec2:ModifyImageAttribute API 操作修改 AMI 权限。

权限详细信息

此策略包含以下权限:

  • Amazon EC2 — Amazon EC2 有权描述、复制和修改图像的属性,以及为账户中的任何 Amazon EC2 映像创建标签。

策略示

以下是该Ec2ImageBuilderCrossAccountDistributionAccess政策的示例。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:CreateTags", "Resource": "arn:aws:ec2:*::image/*" }, { "Effect": "Allow", "Action": [ "ec2:DescribeImages", "ec2:CopyImage", "ec2:ModifyImageAttribute" ], "Resource": "*" } ] }

EC2InstanceProfileForImageBuilder 策略

EC2InstanceProfileForImageBuilder策略授予 EC2 实例使用 Image Builder 所需的最低权限。这不包括使用Systems Manager 代理所需的权限。

权限详细信息

此策略包含以下权限:

  • CloudWatch 日志-授予创建 CloudWatch 日志并将其上传到名称以开头的任何日志组的权限/aws/imagebuilder/

  • Image Builder-授予访问权限以获取任何Image Builder 组件。

  • Amazon KMS— 如果通过 Image Builder 组件进行加密,则授予解密该组件的访问权限Amazon KMS。

  • Amazon S3 — 授予访问权限以获取存储在名称以开头的 Amazon S3 存储桶中的对象ec2imagebuilder-

策略示

以下是该EC2InstanceProfileForImageBuilder政策的示例。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "imagebuilder:GetComponent" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "kms:Decrypt" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "kms:EncryptionContextKeys": "aws:imagebuilder:arn", "aws:CalledVia": [ "imagebuilder.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": "arn:aws:s3:::ec2imagebuilder*" }, { "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:CreateLogGroup", "logs:PutLogEvents" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/imagebuilder/*" } ] }

EC2InstanceProfileForImageBuilderECRContainerBuilds 策略

EC2InstanceProfileForImageBuilderECRContainerBuilds策略授予 EC2 实例在使用 Image Builder 构建 Docker 镜像,然后在 Amazon ECR 容器存储库中注册和存储映像时所需的最低权限。这不包括使用Systems Manager 代理所需的权限。

权限详细信息

此策略包含以下权限:

  • CloudWatch 日志-授予创建 CloudWatch 日志并将其上传到名称以开头的任何日志组的权限/aws/imagebuilder/

  • Amazon ECR — Amazon ECR 被授予获取、注册和存储容器映像以及获取授权令牌的访问权限。

  • Image Builder-授予获取Image Builder 组件或容器配方的访问权限。

  • Amazon KMS— 如果是通过加密的 Image Builder 组件或容器配方,则授予解密该组件或容器配方的访问权限Amazon KMS。

  • Amazon S3 — 授予访问权限以获取存储在名称以开头的 Amazon S3 存储桶中的对象ec2imagebuilder-

策略示

以下是该EC2InstanceProfileForImageBuilderECRContainerBuilds政策的示例。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "imagebuilder:GetComponent", "imagebuilder:GetContainerRecipe", "ecr:GetAuthorizationToken", "ecr:BatchGetImage", "ecr:InitiateLayerUpload", "ecr:UploadLayerPart", "ecr:CompleteLayerUpload", "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:PutImage" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "kms:Decrypt" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "kms:EncryptionContextKeys": "aws:imagebuilder:arn", "aws:CalledVia": [ "imagebuilder.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": "arn:aws:s3:::ec2imagebuilder*" }, { "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:CreateLogGroup", "logs:PutLogEvents" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/imagebuilder/*" } ] }

Image Builder 对Amazon托管策略的更新

此策略提供有关 Image Builder 的Amazon托管策略更新的信息(从该服务开始跟踪这些更改开始)。有关此页面更改的提示,请订阅 Image Builder 文档历史记录页面上的 RSS 源。

更改 说明 日期

AWSServiceRoleForImageBuilder – 对现有策略的更新

Image Builder 对服务角色进行了以下更改,以允许 Image Builder 工作流程收集 AMI 和 ECR 容器映像构建的漏洞发现结果。新权限支持 CVE 检测和报告功能。

  • 添加了 inspector2:ListCoverage 和 inspector2:ListFindings 以允许 Image Builder 确定 Amazon Inspector 何时完成构建实例扫描,并收集配置为允许扫描的图像的结果。

  • 添加了 ecr:CreateRepository,要求 Image Builder 使用CreatedBy: EC2 Image Builder (tag-on-create) 标记存储库。还添加了具有相同 CreatedBy 标签约束的 ecr:TagResource (必需 tag-on-create),以及要求存储库名称开头的附加约束image-builder-*。名称限制可防止权限升级,并防止更改 Image Builder 未创建的存储库。

  • BatchDeleteImage 为标记为 ECR 存储库添加了 ecr:CreatedBy: EC2 Image Builder。此权限要求存储库名称以开头image-builder-*

  • 为 Image Builder 添加了创建和管理名称ImageBuilder-*中包含的亚马逊 EventBridge 托管规则的事件权限。

2023 年 3 月

AWSServiceRoleForImageBuilder – 对现有策略的更新

Image Builder 对服务角色进行了以下更改:

  • 添加了License Manager 许可证作为 ec2:RunInstance 调用的资源,以允许客户使用与许可证配置相关的基础映像 AMI。

2022 年 3 月 22 日

AWSServiceRoleForImageBuilder – 对现有策略的更新

Image Builder 对服务角色进行了以下更改:

  • 添加了 EC2 EnableFastLaunch API 操作的权限,以启用和禁用 Windows 实例的更快启动。

  • 进一步缩小了 ec2 的范围:CreateTags 操作和资源标签条件。

2022 年 2 月 21 日

AWSServiceRoleForImageBuilder – 对现有策略的更新

Image Builder 对服务角色进行了以下更改:

  • 添加了调用 VMIE 服务以导入 VM 并从中创建基本 AMI 的权限。

  • 收紧了 ec2 的范围:CreateTags 操作和资源标签条件。

2021 年 11 月

AWSServiceRoleForImageBuilder – 对现有策略的更新

Image Builder 添加了新权限以修复多个库存关联导致映像构建卡住的问题。

2021 年 8 月 11 日

AWSImageBuilderFullAccess – 对现有策略的更新

Image Builder 对完全访问权限角色进行了以下更改:

  • 添加了允许的权限ec2:DescribeInstanceTypeOffereings

  • 添加了调用权限ec2:DescribeInstanceTypeOffereings,以使 Image Builder 控制台能够准确反映账户中可用的实例类型。

2021 年 4 月 13 日

Image Builder 开启

Image Builder 为其Amazon托管策略开启了跟踪更改。

2021 年 4 月