本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。 # Amazon Inspector 无代理扫描的服务相关角色权限 Amazon Inspector 无代理扫描使用名为 `AWSServiceRoleForAmazonInspector2Agentless` 的服务相关角色。这个 SLR 允许 Amazon Inspector 在您的账户中创建 Amazon EBS 卷快照,然后访问该快照中的数据。该服务相关角色信任 `agentless.inspector2.amazonaws.com` 服务担任该角色。 **重要** 此服务相关角色中的语句会阻止 Amazon Inspector 对您使用 `InspectorEc2Exclusion` 标签从扫描中排除的任何 EC2 实例执行无代理扫描。此外,当用于加密卷的 KMS 密钥带有 `InspectorEc2Exclusion` 标签时,这些语句会阻止 Amazon Inspector 访问相应卷中的加密数据。有关更多信息,请参阅 [从 Amazon Inspector 扫描中排除实例](scanning-ec2.md#exclude-ec2)。 该角色的权限策略名为 `AmazonInspector2AgentlessServiceRolePolicy`,允许 Amazon Inspector 执行以下任务: + 使用 Amazon Elastic Compute Cloud(Amazon EC2)操作检索有关 EC2 实例、卷和快照的信息。 + 使用 Amazon EC2 标记操作,用 `InspectorScan` 标签键为扫描的快照添加标签。 + 使用 Amazon EC2 快照操作创建快照,用 `InspectorScan` 标签键为其添加标签,然后删除 Amazon EBS 卷带有 `InspectorScan` 标签键的快照。 + 使用 Amazon EBS 操作,从带有 `InspectorScan` 标签键的快照中检索信息。 + 使用选择 Amazon KMS 解密操作来解密使用客户托管密钥加密的 Amazon KMS 快照。当用于加密快照的 KMS 密钥带有 `InspectorEc2Exclusion` 标签时,Amazon Inspector 不会解密相应快照。 该角色使用以下权限策略进行配置: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "InstanceIdentification", "Effect": "Allow", "Action": [ "ec2:DescribeInstances", "ec2:DescribeVolumes", "ec2:DescribeSnapshots" ], "Resource": "*" }, { "Sid": "GetSnapshotData", "Effect": "Allow", "Action": [ "ebs:ListSnapshotBlocks", "ebs:GetSnapshotBlock" ], "Resource": "arn:aws:ec2:*:*:snapshot/*", "Condition": { "StringLike": { "aws:ResourceTag/InspectorScan": "*" } } }, { "Sid": "CreateSnapshotsAnyInstanceOrVolume", "Effect": "Allow", "Action": "ec2:CreateSnapshots", "Resource": [ "arn:aws:ec2:*:*:instance/*", "arn:aws:ec2:*:*:volume/*" ] }, { "Sid": "DenyCreateSnapshotsOnExcludedInstances", "Effect": "Deny", "Action": "ec2:CreateSnapshots", "Resource": "arn:aws:ec2:*:*:instance/*", "Condition": { "StringEquals": { "ec2:ResourceTag/InspectorEc2Exclusion": "true" } } }, { "Sid": "CreateSnapshotsOnAnySnapshotOnlyWithTag", "Effect": "Allow", "Action": "ec2:CreateSnapshots", "Resource": "arn:aws:ec2:*:*:snapshot/*", "Condition": { "Null": { "aws:TagKeys": "false" }, "ForAllValues:StringEquals": { "aws:TagKeys": "InspectorScan" } } }, { "Sid": "CreateOnlyInspectorScanTagOnlyUsingCreateSnapshots", "Effect": "Allow", "Action": "ec2:CreateTags", "Resource": "arn:aws:ec2:*:*:snapshot/*", "Condition": { "StringLike": { "ec2:CreateAction": "CreateSnapshots" }, "Null": { "aws:TagKeys": "false" }, "ForAllValues:StringEquals": { "aws:TagKeys": "InspectorScan" } } }, { "Sid": "DeleteOnlySnapshotsTaggedForScanning", "Effect": "Allow", "Action": "ec2:DeleteSnapshot", "Resource": "arn:aws:ec2:*:*:snapshot/*", "Condition": { "StringLike": { "ec2:ResourceTag/InspectorScan": "*" } } }, { "Sid": "DenyKmsDecryptForExcludedKeys", "Effect": "Deny", "Action": "kms:Decrypt", "Resource": "arn:aws:kms:*:*:key/*", "Condition": { "StringEquals": { "aws:ResourceTag/InspectorEc2Exclusion": "true" } } }, { "Sid": "DecryptSnapshotBlocksVolContext", "Effect": "Allow", "Action": "kms:Decrypt", "Resource": "arn:aws:kms:*:*:key/*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" }, "StringLike": { "kms:ViaService": "ec2.*.amazonaws.com", "kms:EncryptionContext:aws:ebs:id": "vol-*" } } }, { "Sid": "DecryptSnapshotBlocksSnapContext", "Effect": "Allow", "Action": "kms:Decrypt", "Resource": "arn:aws:kms:*:*:key/*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" }, "StringLike": { "kms:ViaService": "ec2.*.amazonaws.com", "kms:EncryptionContext:aws:ebs:id": "snap-*" } } }, { "Sid": "DescribeKeysForEbsOperations", "Effect": "Allow", "Action": "kms:DescribeKey", "Resource": "arn:aws:kms:*:*:key/*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" }, "StringLike": { "kms:ViaService": "ec2.*.amazonaws.com" } } }, { "Sid": "ListKeyResourceTags", "Effect": "Allow", "Action": "kms:ListResourceTags", "Resource": "arn:aws:kms:*:*:key/*" } ] } ``` ------