AWS IAM 使用说明 创建用户托管策略

AWS IAM 使用说明 创建用户托管策略
20180907 陈信
cloudwatch的只读权限

创建1个只具有查看cloudwatch权限的用户(而且需要EC2查看标签以便分辨实例是干吗的).

登陆IAM控制台.

创建组.
对组赋予策略.
创建用户,将用户附件到对应组.

因为默认的IAM策略里有个CloudWatchReadOnlyAccess策略(这个策略虽然能够查看cloudwatch,但是无法显示实例名,这样用户无法分辨实例对应的标签名).
进入CloudWatchReadOnlyAccess策略.
选择"权限"-"{}JSON",复制JSON权限.

目标: 因aws默认策略无法修改,所以需要创建一个用户托管策略,将该策略附加到我们的用户组上.

选择策略边栏,选择"创建策略"->JSON,输入以下内容(红色部分是额外我们自己加的,其他是CloudWatchReadOnlyAccess策略默认自带的).
在Action函数里增加1行 "ec2:Describe", 如下
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"autoscaling:Describe",
"cloudwatch:Describe",
"cloudwatch:Get",
"cloudwatch:List",
"ec2:Describe",
"logs:Get",
"logs:List",
"logs:Describe",
"logs:TestMetricFilter",
"logs:FilterLogEvents",
"sns:Get",
"sns:List"
],
"Effect": "Allow",
"Resource": ""
}
]
}
输入策略名称: CloudWatchReadOnlyAccess-Soomi

将创建的用户策略,附加到组上.
整个流程完成.

登陆 https://651544429366.signin.aws.amazon.com/console
账号 651544429366
用户名 cloudwatch-read
密码 xxx
IAM组名 ReadOnlyUser-cloudwatch
IAM托管策略 CloudWatchReadOnlyAccess-Soomi
托管策略说明 除cloudwatch-read-all外,增加EC2的查看权限

S3对某个(或多个)存储桶的只读权限
参考: https://docs.aws.amazon.com/zh_cn/IAM/latest/UserGuide/reference_policies_examples_s3_rw-bucket-console.html
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:HeadBucket",
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource": ""
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::arch-log"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::arch-log/"
]
}
]
}

如果是多个存储桶,比如可以如下:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:HeadBucket",
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource": ""
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::tmp-data-restore",
"arn:aws:s3:::arch-log"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::tmp-data-restore/",
"arn:aws:s3:::arch-log/*"
]
}
]
}