amazon-web-services - 如何允许或阻止 aws iam 用户运行 sendCommand?
问题描述
我创建了一个带有 ssm 和 ec2 操作的 aws_iam_policy_document :
data "aws_iam_policy_document" "AdminEc2Actions" {
statement {
effect = "Allow"
sid = "sid1"
actions = [
"ssm:SendCommand",
"ec2:Start*",
"ssm:StartSession"
]
resources = [
"*"
]
}
}
# Create IAM policy for ec2
resource "aws_iam_policy" "AdminEc2Actions" {
name = "test-AdminEc2Actions-policies"
description = "ec2 policies"
path = "/"
policy = data.aws_iam_policy_document.AdminEc2Actions.json
}
# Attaches customer managed IAM poloicy to an IAM admins group
resource "aws_iam_group_policy_attachment" "AdminEc2Actions" {
group = aws_iam_group.groups[0].name
policy_arn = aws_iam_policy.AdminEc2Actions.arn
}
但是,由于某种原因,有时会考虑到动作的任何变化,有时会忽略。例如。当我运行这个命令时,我得到:
[ssm-user@ip-xxx.yy.zz.1]$ aws s3 mv /tmp/file* s3://test-dent-backup1/daily/
move failed: ../../tmp/file1.txt to s3://test-dent-backup1/daily/file1.txt [Errno 1] Operation not permitted: '/tmp/file1.txt'
有什么建议么?
解决方案
推荐阅读
- excel - 二维向量查找 [x;y]
- c# - 如何将长度 1 维添加到 NDArray c#
- typescript - Typescript 函数重载不兼容
- azure-ad-b2c - azure-ad-b2c - 关于 B2C+MFA 设置的问题
- codenameone - 找不到符号导入 android.app.Person
- c - 如何在C中将char指针数组转换为int指针数组
- python - 从 Twitter 列表中获取时间线
- go - Golang - 语法错误:意外{在顶级声明之后
- reactjs - 使用打字稿和量角器在 shadowroot 中定位反应元素 [
- graphql - 如何使用 curl 从 GraphQL 服务请求模式?