aws(学习笔记第四课) AWS的IAM服务，用于授权的策略，用户和组以及角色

news2024/10/9 4:55:05

                    
                        
                    
                    aws(学习笔记第四课) 
 AWS的IAM服务，用于授权的策略，用户和组以及角色
 
 
学习内容： 
AWS的IAM服务
用于AWS授权的策略
用于认证AWS的用户和组
用于认证AWS的角色
 
1. AWS的IAM服务 
IAM用户，角色的区别 
  IAM用户服务
 Identity and Access Management是AWS是作为整个认证和访问的服务。
root用户，IAM用户和IAM角色的关系 
    –root用户IAM用户IAM角色
可以有一个密码总是是否
可以有一个访问密钥是（不推荐）是否
可以属于一个组否是否
可以与一个EC2实例关联否否是
 
 
 
2. 用于AWS授权的策略 
策略如下定义
策略类型 
  托管策略
 AWS托管策略 – AWS维护的策略。属于提前在AWS上已经存在的策略，可以供大家使用。
 客户托管策略 – 可以是你的组织中的角色策略。
内联策略
 属于某个用户，组或者角色的策略。内联策略不能游离于用户，组或者角色之外，必须隶属其中之一。
 
 
3. 用于认证AWS的用户和组 
使用awscli很容易定义组和用户aws iam create-group --group-name "admin"
aws iam attach-group-policy --group-name "admin" \
--policy-arn "arn:aws:iam::aws:policy/AdministratorAccess"
aws iam create-user --user-name "myuser"
aws iam add-user-to-group --group-name "admin" --user-name "myuser"
aws iam create-login-profile --user-name "myuser" --password "Finlay1234567890$"
 执行效果如下：
 
4.用于认证AWS的角色 
实现一个EC2自己停止自己
 需要赋予权限给一个EC2实例，让他自己能够在启动5分钟之后停止自己。
CloudFormation的代码实现 
  实现代码{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "AWS in Action: chapter 6 (IAM role)",
	"Parameters": {
		"KeyName": {
			"Description": "Key Pair name",
			"Type": "AWS::EC2::KeyPair::KeyName",
			"Default": "my-cli-key"
		},
		"VPC": {
			"Description": "Just select the one and only default VPC",
			"Type": "AWS::EC2::VPC::Id"
		},
		"Subnet": {
			"Description": "Just select one of the available subnets",
			"Type": "AWS::EC2::Subnet::Id"
		},
		"Lifetime": {
			"Description": "Lifetime in minutes (2-59)",
			"Type": "Number",
			"Default": "2",
			"MinValue": "2",
			"MaxValue": "59"
		}
	},
	"Mappings": {
		"EC2RegionMap": {
			"ap-northeast-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-cbf90ecb"},
			"ap-southeast-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-68d8e93a"},
			"ap-southeast-2": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-fd9cecc7"},
			"eu-central-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-a8221fb5"},
			"eu-west-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-a10897d6"},
			"sa-east-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-b52890a8"},
			"us-east-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-1ecae776"},
			"us-west-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-d114f295"},
			"us-west-2": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-e7527ed7"}
		}
	},
	"Resources": {
		"SecurityGroup": {
			"Type": "AWS::EC2::SecurityGroup",
			"Properties": {
				"GroupDescription": "My security group",
				"VpcId": {"Ref": "VPC"},
				"SecurityGroupIngress": [{
					"CidrIp": "0.0.0.0/0",
					"FromPort": 22,
					"IpProtocol": "tcp",
					"ToPort": 22
				}]
			}
		},
		"InstanceProfile": {
			"Type": "AWS::IAM::InstanceProfile",
			"Properties": {
				"Path": "/",
				"Roles": [{"Ref": "Role"}]
			}
		},
		"Role": {
			"Type": "AWS::IAM::Role",
			"Properties": {
				"AssumeRolePolicyDocument": {
					"Version": "2012-10-17",
					"Statement": [{
						"Effect": "Allow",
						"Principal": {
							"Service": ["ec2.amazonaws.com"]
						},
						"Action": ["sts:AssumeRole"]
					}]
				},
				"Path": "/",
				"Policies": [{
					"PolicyName": "ec2",
					"PolicyDocument": {
						"Version": "2012-10-17",
						"Statement": [{
							"Sid": "Stmt1425388787000",
							"Effect": "Allow",
							"Action": ["ec2:StopInstances"],
							"Resource": ["*"],
							"Condition": {
								"StringEquals": {"ec2:ResourceTag/aws:cloudformation:stack-id": {"Ref": "AWS::StackId"}}
							}
						}]
					}
				}]
			}
		},
		"Server": {
			"Type": "AWS::EC2::Instance",
			"Properties": {
				"IamInstanceProfile": {"Ref": "InstanceProfile"},
				"ImageId": {"Fn::FindInMap": ["EC2RegionMap", {"Ref": "AWS::Region"}, "AmazonLinuxAMIHVMEBSBacked64bit"]},
				"InstanceType": "t2.micro",
				"KeyName": {"Ref": "KeyName"},
				"SecurityGroupIds": [{"Ref": "SecurityGroup"}],
				"SubnetId": {"Ref": "Subnet"},
				"UserData": {"Fn::Base64": {"Fn::Join": ["", [
					"#!/bin/bash -ex\n",
					"INSTANCEID=`curl -s http://169.254.169.254/latest/meta-data/instance-id`\n",
					"echo \"aws --region ", {"Ref": "AWS::Region"}, " ec2 stop-instances --instance-ids $INSTANCEID\" | at now + ", {"Ref": "Lifetime"} ," minutes\n"
				]]}}
			}
		}
	},
	"Outputs": {
		"PublicName": {
			"Value": {"Fn::GetAtt": ["Server", "PublicDnsName"]},
			"Description": "Public name (connect via SSH as user ec2-user)"
		}
	}
}
 
CloudFormation执行结果
 
执行后等待5分钟
最后清理CloudFormation
 CloudFormation属于全攻全守，所以直接删除即可
 
 

                

–	root用户	IAM用户	IAM角色
可以有一个密码	总是	是	否
可以有一个访问密钥	是（不推荐）	是	否
可以属于一个组	否	是	否
可以与一个`EC2实例关联`	否	否	是