aws(学习笔记第四课)

• AWS的IAM服务，用于授权的策略，用户和组以及角色

学习内容：

• AWS的IAM服务
• 用于AWS授权的策略
• 用于认证AWS的用户和组
• 用于认证AWS的角色

1. AWS的IAM服务

1. IAM用户，角色的区别
   • IAM用户服务
     Identity and Access Management是AWS是作为整个认证和访问的服务。
   • root用户，IAM用户和IAM角色的关系

     –	root用户	IAM用户	IAM角色
     可以有一个密码	总是	是	否
     可以有一个访问密钥	是（不推荐）	是	否
     可以属于一个组	否	是	否
     可以与一个EC2实例关联	否	否	是

2. 用于AWS授权的策略

• 策略如下定义
• 策略类型
  • 托管策略
    AWS托管策略 – AWS维护的策略。属于提前在AWS上已经存在的策略，可以供大家使用。
    客户托管策略 – 可以是你的组织中的角色策略。
  • 内联策略
    属于某个用户，组或者角色的策略。内联策略不能游离于用户，组或者角色之外，必须隶属其中之一。

3. 用于认证AWS的用户和组

• 使用awscli很容易定义组和用户

  aws iam create-group --group-name "admin"
  aws iam attach-group-policy --group-name "admin" \
  --policy-arn "arn:aws:iam::aws:policy/AdministratorAccess"
  aws iam create-user --user-name "myuser"
  aws iam add-user-to-group --group-name "admin" --user-name "myuser"
  aws iam create-login-profile --user-name "myuser" --password "Finlay1234567890$"
  

  执行效果如下：

4.用于认证AWS的角色

1. 实现一个EC2自己停止自己
   需要赋予权限给一个EC2实例，让他自己能够在启动5分钟之后停止自己。
2. CloudFormation的代码实现
   • 实现代码

     {
     	"AWSTemplateFormatVersion": "2010-09-09",
     	"Description": "AWS in Action: chapter 6 (IAM role)",
     	"Parameters": {
     		"KeyName": {
     			"Description": "Key Pair name",
     			"Type": "AWS::EC2::KeyPair::KeyName",
     			"Default": "my-cli-key"
     		},
     		"VPC": {
     			"Description": "Just select the one and only default VPC",
     			"Type": "AWS::EC2::VPC::Id"
     		},
     		"Subnet": {
     			"Description": "Just select one of the available subnets",
     			"Type": "AWS::EC2::Subnet::Id"
     		},
     		"Lifetime": {
     			"Description": "Lifetime in minutes (2-59)",
     			"Type": "Number",
     			"Default": "2",
     			"MinValue": "2",
     			"MaxValue": "59"
     		}
     	},
     	"Mappings": {
     		"EC2RegionMap": {
     			"ap-northeast-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-cbf90ecb"},
     			"ap-southeast-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-68d8e93a"},
     			"ap-southeast-2": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-fd9cecc7"},
     			"eu-central-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-a8221fb5"},
     			"eu-west-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-a10897d6"},
     			"sa-east-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-b52890a8"},
     			"us-east-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-1ecae776"},
     			"us-west-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-d114f295"},
     			"us-west-2": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-e7527ed7"}
     		}
     	},
     	"Resources": {
     		"SecurityGroup": {
     			"Type": "AWS::EC2::SecurityGroup",
     			"Properties": {
     				"GroupDescription": "My security group",
     				"VpcId": {"Ref": "VPC"},
     				"SecurityGroupIngress": [{
     					"CidrIp": "0.0.0.0/0",
     					"FromPort": 22,
     					"IpProtocol": "tcp",
     					"ToPort": 22
     				}]
     			}
     		},
     		"InstanceProfile": {
     			"Type": "AWS::IAM::InstanceProfile",
     			"Properties": {
     				"Path": "/",
     				"Roles": [{"Ref": "Role"}]
     			}
     		},
     		"Role": {
     			"Type": "AWS::IAM::Role",
     			"Properties": {
     				"AssumeRolePolicyDocument": {
     					"Version": "2012-10-17",
     					"Statement": [{
     						"Effect": "Allow",
     						"Principal": {
     							"Service": ["ec2.amazonaws.com"]
     						},
     						"Action": ["sts:AssumeRole"]
     					}]
     				},
     				"Path": "/",
     				"Policies": [{
     					"PolicyName": "ec2",
     					"PolicyDocument": {
     						"Version": "2012-10-17",
     						"Statement": [{
     							"Sid": "Stmt1425388787000",
     							"Effect": "Allow",
     							"Action": ["ec2:StopInstances"],
     							"Resource": ["*"],
     							"Condition": {
     								"StringEquals": {"ec2:ResourceTag/aws:cloudformation:stack-id": {"Ref": "AWS::StackId"}}
     							}
     						}]
     					}
     				}]
     			}
     		},
     		"Server": {
     			"Type": "AWS::EC2::Instance",
     			"Properties": {
     				"IamInstanceProfile": {"Ref": "InstanceProfile"},
     				"ImageId": {"Fn::FindInMap": ["EC2RegionMap", {"Ref": "AWS::Region"}, "AmazonLinuxAMIHVMEBSBacked64bit"]},
     				"InstanceType": "t2.micro",
     				"KeyName": {"Ref": "KeyName"},
     				"SecurityGroupIds": [{"Ref": "SecurityGroup"}],
     				"SubnetId": {"Ref": "Subnet"},
     				"UserData": {"Fn::Base64": {"Fn::Join": ["", [
     					"#!/bin/bash -ex\n",
     					"INSTANCEID=`curl -s http://169.254.169.254/latest/meta-data/instance-id`\n",
     					"echo \"aws --region ", {"Ref": "AWS::Region"}, " ec2 stop-instances --instance-ids $INSTANCEID\" | at now + ", {"Ref": "Lifetime"} ," minutes\n"
     				]]}}
     			}
     		}
     	},
     	"Outputs": {
     		"PublicName": {
     			"Value": {"Fn::GetAtt": ["Server", "PublicDnsName"]},
     			"Description": "Public name (connect via SSH as user ec2-user)"
     		}
     	}
     }
     

   • CloudFormation执行结果
     
   • 执行后等待5分钟
   • 最后清理CloudFormation
CloudFormation属于全攻全守，所以直接删除即可