如何检查EC2是否与适当的政策相关联
在我的公司中,我无法访问AWS控制台,但是我们公司的AWS管理员创建了一个EC2实例,并让我通过SSH访问它。
当我要求创建EC2实例时,我给出了EC2实例所需的策略。
但是,管理员通常会忘记将某些政策与EC2实例相关联。
因此,如果有足够的权力来执行某些行为,请自动检查检查我的EC2实例的过程。
Action: cloudwatch:GetMetricData - Resource: *
Action: rds:DescribeExportTasks - Resource: *
Action: rds:StartExportTask - Resource: *
Action: rds:DescribeDBSnapshots - Resource: arn:aws:rds::region:account:snapshot:*
我进行了一些研究,并伸手到达了AWS-CLI,并找到了一些检查命令,但想知道是否有任何方法可以不要求更多的权威来检查实例。
In my company I have no access to AWS console but our company's AWS administrator creates an EC2 instance and lets me access to it through ssh.
When I ask for a creation of EC2 instance, I give the policies I need for the EC2 instance.
However, the administrator often forgets to associate some policies to the EC2 instance.
Therefore, I want to automate the process of checking my EC2 instance if it has enought authority to do some behaviors for example as below.
Action: cloudwatch:GetMetricData - Resource: *
Action: rds:DescribeExportTasks - Resource: *
Action: rds:StartExportTask - Resource: *
Action: rds:DescribeDBSnapshots - Resource: arn:aws:rds::region:account:snapshot:*
I did some research and reached to aws-cli and found some commands for checking so but wondering if there are any ways to do so without asking for more authority just for checking the instance.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
您可以通过几个步骤将策略附加到您的EC2实例上。
1:获取您的EC2角色的名称。
AWS EC2描述-IAM-IAM-INSANCE-PROFILE-sassociations-Filters name = instance-id,values = i-123456789您将使用上述命令获得角色名称。
2:列出角色策略
AWS IAM LIST-ROLE-POLICIS - Quon-name my-Instance-lole-name使用上述命令,您将获得所有政策。
3:描述策略。
aws iam get-lole-policy-lole-name my-instance-lole-name-policy-name name dosedpolicyname使用上述命令,您将在
json中获得polciy。更新:使用
Get-lole-Policy您仅获得内联策略。对于其他策略,您需要再进行一步。
4:列出了该角色的非内部政策。
aws iam list artached-lole-poloties - Quon-name my-instance-lole-nameYou can get the policies attached to your EC2 instance with few steps.
1: Get the name of your EC2 role.
aws ec2 describe-iam-instance-profile-associations --filters Name=instance-id,Values=i-123456789You will get role name with the above command.
2: List role policies
aws iam list-role-policies --role-name my-instance-role-nameWith the above command you will get all the policies attached to it.
3: Describe policies.
aws iam get-role-policy --role-name my-instance-role-name --policy-name attachedpolicynameWith the above command, you will get the polciy in
json.UPDATE: With the
get-role-policyyou get only the inline policies.For other policies, you need one more step.
4: List non-inline policies attahced to the role.
aws iam list-attached-role-policies --role-name my-instance-role-name