本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
Amazon Inspector 无代理扫描的服务相关角色权限
Amazon Inspector 无代理扫描使用名为 AWSServiceRoleForAmazonInspector2Agentless 的服务相关角色。这个 SLR 允许 Amazon Inspector 在您的账户中创建 Amazon EBS 卷快照,然后访问该快照中的数据。该服务相关角色信任 agentless.inspector2.amazonaws.com 服务担任该角色。
重要
此服务相关角色中的语句会阻止 Amazon Inspector 对您使用 InspectorEc2Exclusion 标签从扫描中排除的任何 EC2 实例执行无代理扫描。此外,当用于加密卷的 KMS 密钥带有 InspectorEc2Exclusion 标签时,这些语句会阻止 Amazon Inspector 访问相应卷中的加密数据。有关更多信息,请参阅 从 Amazon Inspector 扫描中排除实例。
该角色的权限策略名为 AmazonInspector2AgentlessServiceRolePolicy,允许 Amazon Inspector 执行以下任务:
-
使用 Amazon Elastic Compute Cloud(Amazon EC2)操作检索有关 EC2 实例、卷和快照的信息。
使用 Amazon EC2 标记操作,用
InspectorScan标签键为扫描的快照添加标签。使用 Amazon EC2 快照操作创建快照,用
InspectorScan标签键为其添加标签,然后删除 Amazon EBS 卷带有InspectorScan标签键的快照。
-
使用 Amazon EBS 操作,从带有
InspectorScan标签键的快照中检索信息。 使用选择 Amazon KMS 解密操作来解密使用客户托管密钥加密的 Amazon KMS 快照。当用于加密快照的 KMS 密钥带有
InspectorEc2Exclusion标签时,Amazon Inspector 不会解密相应快照。
该角色使用以下权限策略进行配置:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "InstanceIdentification", "Effect": "Allow", "Action": [ "ec2:DescribeInstances", "ec2:DescribeVolumes", "ec2:DescribeSnapshots" ], "Resource": "*" }, { "Sid": "GetSnapshotData", "Effect": "Allow", "Action": [ "ebs:ListSnapshotBlocks", "ebs:GetSnapshotBlock" ], "Resource": "arn:aws:ec2:*:*:snapshot/*", "Condition": { "StringLike": { "aws:ResourceTag/InspectorScan": "*" } } }, { "Sid": "CreateSnapshotsAnyInstanceOrVolume", "Effect": "Allow", "Action": "ec2:CreateSnapshots", "Resource": [ "arn:aws:ec2:*:*:instance/*", "arn:aws:ec2:*:*:volume/*" ] }, { "Sid": "DenyCreateSnapshotsOnExcludedInstances", "Effect": "Deny", "Action": "ec2:CreateSnapshots", "Resource": "arn:aws:ec2:*:*:instance/*", "Condition": { "StringEquals": { "ec2:ResourceTag/InspectorEc2Exclusion": "true" } } }, { "Sid": "CreateSnapshotsOnAnySnapshotOnlyWithTag", "Effect": "Allow", "Action": "ec2:CreateSnapshots", "Resource": "arn:aws:ec2:*:*:snapshot/*", "Condition": { "Null": { "aws:TagKeys": "false" }, "ForAllValues:StringEquals": { "aws:TagKeys": "InspectorScan" } } }, { "Sid": "CreateOnlyInspectorScanTagOnlyUsingCreateSnapshots", "Effect": "Allow", "Action": "ec2:CreateTags", "Resource": "arn:aws:ec2:*:*:snapshot/*", "Condition": { "StringLike": { "ec2:CreateAction": "CreateSnapshots" }, "Null": { "aws:TagKeys": "false" }, "ForAllValues:StringEquals": { "aws:TagKeys": "InspectorScan" } } }, { "Sid": "DeleteOnlySnapshotsTaggedForScanning", "Effect": "Allow", "Action": "ec2:DeleteSnapshot", "Resource": "arn:aws:ec2:*:*:snapshot/*", "Condition": { "StringLike": { "ec2:ResourceTag/InspectorScan": "*" } } }, { "Sid": "DenyKmsDecryptForExcludedKeys", "Effect": "Deny", "Action": "kms:Decrypt", "Resource": "arn:aws:kms:*:*:key/*", "Condition": { "StringEquals": { "aws:ResourceTag/InspectorEc2Exclusion": "true" } } }, { "Sid": "DecryptSnapshotBlocksVolContext", "Effect": "Allow", "Action": "kms:Decrypt", "Resource": "arn:aws:kms:*:*:key/*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" }, "StringLike": { "kms:ViaService": "ec2.*.amazonaws.com", "kms:EncryptionContext:aws:ebs:id": "vol-*" } } }, { "Sid": "DecryptSnapshotBlocksSnapContext", "Effect": "Allow", "Action": "kms:Decrypt", "Resource": "arn:aws:kms:*:*:key/*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" }, "StringLike": { "kms:ViaService": "ec2.*.amazonaws.com", "kms:EncryptionContext:aws:ebs:id": "snap-*" } } }, { "Sid": "DescribeKeysForEbsOperations", "Effect": "Allow", "Action": "kms:DescribeKey", "Resource": "arn:aws:kms:*:*:key/*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" }, "StringLike": { "kms:ViaService": "ec2.*.amazonaws.com" } } }, { "Sid": "ListKeyResourceTags", "Effect": "Allow", "Action": "kms:ListResourceTags", "Resource": "arn:aws:kms:*:*:key/*" } ] }