限制从 EC2 实例对 DynamoDB 的访问
我有一项服务,其中有长期运行的工作。每个作业都有一个 GUID。我将有关该作业的信息存储在 dynamodb 中,并使用作业 GUID 作为分区键。每个作业都有一个关联的 EC2 实例(以及 EC2 实例上运行的一些极其不可信的代码)。 我想要做到这一点,以便与特定作业关联的 EC2 实例只能访问 dynamodb 中与该作业关联的条目。
我之前尝试的是使用该作业标记 EC2 实例GUID 然后使用类似下面的内容来比较 dynamodb 主键与 EC2 标签。
{
"Sid": "UpdateDynamo",
"Effect": "Allow",
"Action": "dynamodb:UpdateItem",
"Resource": "arn:aws:dynamodb:us-east-1:720911909616:table/test",
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:LeadingKeys": [
"${aws:PrincipalTag/job_guid}"
]
}
}
}
这不起作用,因为“PrincipalTag”引用的是 IAM 角色,而不是 EC2 实例。
对此有什么好的解决办法吗?
I have a service where I have long running jobs. Each job has a GUID. I store information about that job in dynamodb and use the job GUID as the partition key. There's an EC2 instance associated with each job (and some extremely untrustworthy code running on the EC2 instance). I want to make it so that the EC2 instance associated with a particular job can only have access to the entry in dynamodb associated with that job.
What I was trying before was to tag an EC2 instance with the job GUID then use something like whats below to compare dynamodb leading keys with EC2 tags.
{
"Sid": "UpdateDynamo",
"Effect": "Allow",
"Action": "dynamodb:UpdateItem",
"Resource": "arn:aws:dynamodb:us-east-1:720911909616:table/test",
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:LeadingKeys": [
"${aws:PrincipalTag/job_guid}"
]
}
}
}
This didn't work because "PrincipalTag" refers to the IAM role and not the EC2 instance.
What is a good solution to this?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
您将无法使用单个策略/角色来实现此目的,因为没有 AWS 范围的条件键可以评估 EC2 实例的标签,您可以使用它来与 dynamodb:LeadingKeys 进行比较>。
鉴于您的用例,我建议设置一个无服务器解决方案(可能是 Lambda 函数),对于每个作业:
dynamodb:UpdateItem该特定作业的You will not be able to achieve this with a single policy/role, because there is no AWS-wide condition key that will evaluate to the tag of the EC2 instance that you can use to compare to
dynamodb:LeadingKeys.Given your use case, I would therefore suggest setting up a serverless solution (probably a Lambda function) that, for each job:
dynamodb:UpdateItemonly for the GUID of that particular job您还可以使用
${aws:userid}替换变量(例如"dynamodb:LeadingKeys": ["${aws:userid}"])来匹配 < code>role-id:ec2-instance-id (请参阅详细信息 此处):因此您的 DynamoDB 表主键将如下所示:
You can also use the
${aws:userid}substitution variable (e.g."dynamodb:LeadingKeys": ["${aws:userid}"]) to match withrole-id:ec2-instance-id(see details here):So your DynamoDB table primary key would look like: