aws(学习笔记第四课) AWS的IAM服务，用于授权的策略，用户和组以及角色

aws(学习笔记第四课)

• AWS的IAM服务，用于授权的策略，用户和组以及角色

---

学习内容：

• AWS的IAM服务
• 用于AWS授权的策略
• 用于认证AWS的用户和组
• 用于认证AWS的角色

1. AWS的IAM服务

1. IAM用户，角色的区别
   • IAM用户服务
     Identity and Access Management是AWS是作为整个认证和访问的服务。
   • root用户，IAM用户和IAM角色的关系

     –	root用户	IAM用户	IAM角色
     可以有一个密码	总是	是	否
     可以有一个访问密钥	是（不推荐）	是	否
     可以属于一个组	否	是	否
     可以与一个EC2实例关联	否	否	是

2. 用于AWS授权的策略

• 策略如下定义
• 策略类型
  • 托管策略
    AWS托管策略 – AWS维护的策略。属于提前在AWS上已经存在的策略，可以供大家使用。
    客户托管策略 – 可以是你的组织中的角色策略。
  • 内联策略
    属于某个用户，组或者角色的策略。内联策略不能游离于用户，组或者角色之外，必须隶属其中之一。

3. 用于认证AWS的用户和组

• 使用awscli很容易定义组和用户

  aws iam create-group --group-name "admin"
  aws iam attach-group-policy --group-name "admin" \
  --policy-arn "arn:aws:iam::aws:policy/AdministratorAccess"
  aws iam create-user --user-name "myuser"
  aws iam add-user-to-group --group-name "admin" --user-name "myuser"
  aws iam create-login-profile --user-name "myuser" --password "Finlay1234567890$"
  

  执行效果如下：

4.用于认证AWS的角色

1. 实现一个EC2自己停止自己
   需要赋予权限给一个EC2实例，让他自己能够在启动5分钟之后停止自己。
2. CloudFormation的代码实现
   • 实现代码

     {"AWSTemplateFormatVersion": "2010-09-09","Description": "AWS in Action: chapter 6 (IAM role)","Parameters": {"KeyName": {"Description": "Key Pair name","Type": "AWS::EC2::KeyPair::KeyName","Default": "my-cli-key"},"VPC": {"Description": "Just select the one and only default VPC","Type": "AWS::EC2::VPC::Id"},"Subnet": {"Description": "Just select one of the available subnets","Type": "AWS::EC2::Subnet::Id"},"Lifetime": {"Description": "Lifetime in minutes (2-59)","Type": "Number","Default": "2","MinValue": "2","MaxValue": "59"}},"Mappings": {"EC2RegionMap": {"ap-northeast-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-cbf90ecb"},"ap-southeast-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-68d8e93a"},"ap-southeast-2": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-fd9cecc7"},"eu-central-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-a8221fb5"},"eu-west-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-a10897d6"},"sa-east-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-b52890a8"},"us-east-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-1ecae776"},"us-west-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-d114f295"},"us-west-2": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-e7527ed7"}}},"Resources": {"SecurityGroup": {"Type": "AWS::EC2::SecurityGroup","Properties": {"GroupDescription": "My security group","VpcId": {"Ref": "VPC"},"SecurityGroupIngress": [{"CidrIp": "0.0.0.0/0","FromPort": 22,"IpProtocol": "tcp","ToPort": 22}]}},"InstanceProfile": {"Type": "AWS::IAM::InstanceProfile","Properties": {"Path": "/","Roles": [{"Ref": "Role"}]}},"Role": {"Type": "AWS::IAM::Role","Properties": {"AssumeRolePolicyDocument": {"Version": "2012-10-17","Statement": [{"Effect": "Allow","Principal": {"Service": ["ec2.amazonaws.com"]},"Action": ["sts:AssumeRole"]}]},"Path": "/","Policies": [{"PolicyName": "ec2","PolicyDocument": {"Version": "2012-10-17","Statement": [{"Sid": "Stmt1425388787000","Effect": "Allow","Action": ["ec2:StopInstances"],"Resource": ["*"],"Condition": {"StringEquals": {"ec2:ResourceTag/aws:cloudformation:stack-id": {"Ref": "AWS::StackId"}}}}]}}]}},"Server": {"Type": "AWS::EC2::Instance","Properties": {"IamInstanceProfile": {"Ref": "InstanceProfile"},"ImageId": {"Fn::FindInMap": ["EC2RegionMap", {"Ref": "AWS::Region"}, "AmazonLinuxAMIHVMEBSBacked64bit"]},"InstanceType": "t2.micro","KeyName": {"Ref": "KeyName"},"SecurityGroupIds": [{"Ref": "SecurityGroup"}],"SubnetId": {"Ref": "Subnet"},"UserData": {"Fn::Base64": {"Fn::Join": ["", ["#!/bin/bash -ex\n","INSTANCEID=`curl -s http://169.254.169.254/latest/meta-data/instance-id`\n","echo \"aws --region ", {"Ref": "AWS::Region"}, " ec2 stop-instances --instance-ids $INSTANCEID\" | at now + ", {"Ref": "Lifetime"} ," minutes\n"]]}}}}},"Outputs": {"PublicName": {"Value": {"Fn::GetAtt": ["Server", "PublicDnsName"]},"Description": "Public name (connect via SSH as user ec2-user)"}}
     }
     

   • CloudFormation执行结果
     
   • 执行后等待5分钟
   • 最后清理CloudFormation
CloudFormation属于全攻全守，所以直接删除即可