学习目标
- 掌握IAM与EC2实例的集成配置
- 学习Lambda函数的权限管理
- 理解S3存储桶策略的配置
- 掌握跨服务权限管理
- 实施服务间安全通信
服务集成架构图
8.1 IAM与EC2集成
8.1.1 EC2实例角色配置
import boto3
import json
from datetime import datetime
def configure_ec2_iam_integration():
"""
配置EC2与IAM的集成
"""
class EC2IAMIntegration:
def __init__(self):
self.iam = boto3.client('iam')
self.ec2 = boto3.client('ec2')
self.sts = boto3.client('sts')
def create_ec2_service_role(self, role_name, permissions):
"""创建EC2服务角色"""
# EC2信任策略
trust_policy = {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
try:
# 创建角色
role_response = self.iam.create_role(
RoleName=role_name,
AssumeRolePolicyDocument=json.dumps(trust_policy),
Description=f'Service role for EC2 instances: {role_name}',
Tags=[
{'Key': 'Service', 'Value': 'EC2'},
{'Key': 'ManagedBy', 'Value': 'IAM-Automation'},
{'Key': 'CreatedDate', 'Value': datetime.now().strftime('%Y-%m-%d')}
]
)
role_arn = role_response['Role']['Arn']
print(f"✅ EC2角色创建成功: {role_arn}")
# 附加权限策略
for permission in permissions:
if permission['type'] == 'managed':
self.iam.attach_role_policy(
RoleName=role_name,
PolicyArn=permission['arn']
)
elif permission['type'] == 'inline':
self.iam.put_role_policy(
RoleName=role_name,
PolicyName=permission['name'],
PolicyDocument=json.dumps(permission['document'])
)
# 创建实例配置文件
self.iam.create_instance_profile(
InstanceProfileName=role_name
)
# 将角色添加到实例配置文件
self.iam.add_role_to_instance_profile(
InstanceProfileName=role_name,
RoleName=role_name
)
print(f"✅ 实例配置文件创建成功: {role_name}")
return {
'role_arn': role_arn,
'instance_profile_name': role_name
}
except Exception as e:
print(f"❌ 创建EC2角色失败: {str(e)}")
return None
def create_web_server_role(self):
"""创建Web服务器角色"""
permissions = [
{
'type': 'managed',
'arn': 'arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy'
},
{
'type': 'inline',
'name': 'WebServerCustomPolicy',
'document': {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::my-web-content/*"
},
{
"Effect": "Allow",
"Action": [
"ssm:GetParameter",
"ssm:GetParameters",
"ssm:GetParametersByPath"
],
"Resource": "arn:aws:ssm:*:*:parameter/webserver/*"
},
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": "arn:aws:secretsmanager:*:*:secret:webserver/*"
}
]
}
}
]
return self.create_ec2_service_role("WebServerRole", permissions)
def create_database_server_role(self):
"""创建数据库服务器角色"""
permissions = [
{
'type': 'managed',
'arn': 'arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy'
},
{
'type': 'inline',
'name': 'DatabaseServerPolicy',
'document': {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::database-backups/*",
"arn:aws:s3:::database-logs/*"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "arn:aws:kms:*:*:key/database-encryption-key"
},
{
"Effect": "Allow",
"Action": [
"ssm:GetParameter",
"ssm:PutParameter"
],
"Resource": "arn:aws:ssm:*:*:parameter/database/*"
}
]
}
}
]
return self.create_ec2_service_role("DatabaseServerRole", permissions)
def launch_instance_with_role(self, instance_profile_name, **kwargs):
"""使用IAM角色启动EC2实例"""
launch_params = {
'ImageId': kwargs.get('image_id', 'ami-0abcdef1234567890'),
'InstanceType': kwargs.get('instance_type', 't3.micro'),
'MinCount': 1,
'MaxCount': 1,
'IamInstanceProfile': {
'Name': instance_profile_name
},
'SecurityGroupIds': kwargs.get('security_groups', []),
'SubnetId': kwargs.get('subnet_id'),
'KeyName': kwargs.get('key_name'),
'UserData': kwargs.get('user_data', ''),
'TagSpecifications': [
{
'ResourceType': 'instance',
'Tags': [
{'Key': 'Name', 'Value': kwargs.get('name', 'IAM-Managed-Instance')},
{'Key': 'IAMRole', 'Value': instance_profile_name},
{'Key': 'ManagedBy', 'Value': 'IAM-Integration'}
]
}
]
}
try:
response = self.ec2.run_instances(**launch_params)
instance_id = response['Instances'][0]['InstanceId']
print(f"✅ EC2实例启动成功: {instance_id}")
print(f" 使用IAM角色: {instance_profile_name}")
return instance_id
except Exception as e:
print(f"❌ 启动EC2实例失败: {str(e)}")
return None
def test_instance_permissions(self, instance_id):
"""测试实例权限"""
# 获取实例元数据中的角色信息
test_script = f'''
#!/bin/bash
echo "=== 测试EC2实例IAM权限 ==="
# 获取实例元数据
echo "1. 获取实例IAM角色信息:"
curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/
echo -e "\\n2. 测试AWS CLI权限:"
aws sts get-caller-identity
echo -e "\\n3. 测试S3权限:"
aws s3 ls
echo -e "\\n4. 测试SSM参数访问:"
aws ssm get-parameters-by-path --path "/webserver" --recursive
echo -e "\\n5. 测试CloudWatch日志权限:"
aws logs describe-log-groups --limit 5
'''
print(f"📋 实例权限测试脚本 (Instance ID: {instance_id}):")
print(test_script)
return test_script
return EC2IAMIntegration()
# 演示EC2 IAM集成
ec2_iam = configure_ec2_iam_integration()
# 创建Web服务器角色
web_role = ec2_iam.create_web_server_role()
# 创建数据库服务器角色
db_role = ec2_iam.create_database_server_role()
print("\n📋 EC2 IAM集成配置完成:")
print(" ✅ Web服务器角色已创建")
print(" ✅ 数据库服务器角色已创建")
print(" ✅ 实例配置文件已配置")9/1/25About 9 min