我想从我的持续部署系统 (Codeship) 在 Elastic Beanstalk 上更新和部署新版本，但也想锁定部署用户拥有的权限。

如果需要权限，最小设置是多少？

最佳答案

此 IAM 策略提供执行“上传和部署”功能所需的所有权限:

• 对于新的应用程序版本
• 在指定的 Elastic Beanstalk 环境中。

替换以下内容:

• 将 $REGION 替换为特定区域，例如:us-east-1
• 将 $ACCOUNT 替换为帐号(不含破折号)，例如:123456789012
• 将 $APPLICATION 替换为特定的应用程序，例如:我的 Beanstalk 应用程序
• 将 $ENVIRONMENT 替换为特定环境，例如:My Beanstalk Environment

节点:如果您将日志推送到 CloudWatch，您将需要额外的策略。

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowAutoscalingSuspendAndResumeProcesses",
      "Action": [
        "autoscaling:SuspendProcesses",
        "autoscaling:ResumeProcesses"
      ],
      "Effect": "Allow",
      "Resource": [
        "*"
      ]
    },
    {
      "Sid": "AllowElasticBeanstalkValidateConfigurationSettings",
      "Action": [
        "elasticbeanstalk:ValidateConfigurationSettings"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:elasticbeanstalk:$REGION:$ACCOUNT:environment/$APPLICATION/$ENVIRONMENT"
      ],
      "Condition": {
        "StringEquals": {
          "elasticbeanstalk:InApplication": [
            "arn:aws:elasticbeanstalk:$REGION:$ACCOUNT:application/$APPLICATION"
          ]
        }
      }
    },
    {
      "Sid": "AllowS3PutAndDeleteObjectInProperBucket",
      "Action": [
        "s3:Put*",
        "s3:Delete*"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::elasticbeanstalk-$REGION-$ACCOUNT/*"
      ]
    },
    {
      "Sid": "AllowElasticBeanstalkCreateStorageLocation",
      "Action": [
        "elasticbeanstalk:CreateStorageLocation"
      ],
      "Effect": "Allow",
      "Resource": "*"
    },
    {
      "Sid": "AllowElasticBeanstalkCreateApplicationVersion",
      "Action": [
        "elasticbeanstalk:CreateApplicationVersion"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:elasticbeanstalk:$REGION:$ACCOUNT:applicationversion/$APPLICATION/*"
      ],
      "Condition": {
        "StringEquals": {
          "elasticbeanstalk:InApplication": [
            "arn:aws:elasticbeanstalk:$REGION:$ACCOUNT:application/$APPLICATION"
          ]
        }
      }
    },
    {
      "Sid": "AllowElasticBeanstalkUpdateEnvironment",
      "Action": [
        "elasticbeanstalk:UpdateEnvironment"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:elasticbeanstalk:$REGION:$ACCOUNT:environment/$APPLICATION/$ENVIRONMENT"
      ],
      "Condition": {
        "StringEquals": {
          "elasticbeanstalk:InApplication": [
            "arn:aws:elasticbeanstalk:$REGION:$ACCOUNT:application/$APPLICATION"
          ]
        },
        "StringLike": {
          "elasticbeanstalk:FromApplicationVersion": [
            "arn:aws:elasticbeanstalk:$REGION:$ACCOUNT:applicationversion/$APPLICATION/*"
          ]
        }
      }
    },
    {
      "Sid": "AllowElasticBeanstalkReadOnlyAccess",
      "Effect": "Allow",
      "Action": [
        "elasticbeanstalk:Check*",
        "elasticbeanstalk:Describe*",
        "elasticbeanstalk:List*",
        "elasticbeanstalk:RequestEnvironmentInfo",
        "elasticbeanstalk:RetrieveEnvironmentInfo",
        "ec2:Describe*",
        "elasticloadbalancing:Describe*",
        "autoscaling:Describe*",
        "cloudwatch:Describe*",
        "cloudwatch:List*",
        "cloudwatch:Get*",
        "s3:Get*",
        "s3:List*",
        "sns:Get*",
        "sns:List*",
        "cloudformation:Describe*",
        "cloudformation:Get*",
        "cloudformation:List*",
        "cloudformation:Validate*",
        "cloudformation:Estimate*",
        "rds:Describe*",
        "sqs:Get*",
        "sqs:List*"
      ],
      "Resource": "*"
    }
  ]
}

关于amazon-web-services - 更新和部署 Elastic Beanstalk 应用程序所需的最低策略是什么？，我们在Stack Overflow上找到一个类似的问题： https://stackoverflow.com/questions/35506603/