本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。 # Amazon Inspector 無代理程式掃描的服務連結角色許可 Amazon Inspector 無代理程式掃描使用名為 的服務連結角色`AWSServiceRoleForAmazonInspector2Agentless`。此 SLR 允許 Amazon Inspector 在您的帳戶中建立 Amazon EBS 磁碟區快照,然後從該快照存取資料。此服務連結角色信任`agentless.inspector2.amazonaws.com`服務擔任該角色。 **重要** 此服務連結角色中的陳述式可防止 Amazon Inspector 對您使用 `InspectorEc2Exclusion`標籤從掃描中排除的任何 EC2 執行個體執行無代理程式掃描。此外,當用於加密磁碟區的 KMS 金鑰具有 `InspectorEc2Exclusion`標籤時,陳述式會防止 Amazon Inspector 從磁碟區存取加密的資料。如需詳細資訊,請參閱[從 Amazon Inspector 掃描排除執行個體](scanning-ec2.md#exclude-ec2)。 名為 的角色的許可政策`AmazonInspector2AgentlessServiceRolePolicy`允許 Amazon Inspector 執行任務,例如: + 使用 Amazon Elastic Compute Cloud (Amazon EC2) 動作來擷取 EC2 執行個體、磁碟區和快照的相關資訊。 + 使用 Amazon EC2 標記動作來標記快照,以便使用`InspectorScan`標籤金鑰進行掃描。 + 使用 Amazon EC2 快照動作建立快照、使用`InspectorScan`標籤金鑰標記快照,然後刪除已使用`InspectorScan`標籤金鑰標記的 Amazon EBS 磁碟區的快照。 + 使用 Amazon EBS 動作從標記有標籤`InspectorScan`索引鍵的快照擷取資訊。 + 使用選取 AWS KMS 解密動作來解密使用 AWS KMS 客戶受管金鑰加密的快照。當用於加密快照的 KMS 金鑰加上標籤時,Amazon Inspector 不會解密快照`InspectorEc2Exclusion`。 角色是使用下列許可政策來設定。 ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "InstanceIdentification", "Effect": "Allow", "Action": [ "ec2:DescribeInstances", "ec2:DescribeVolumes", "ec2:DescribeSnapshots" ], "Resource": "*" }, { "Sid": "GetSnapshotData", "Effect": "Allow", "Action": [ "ebs:ListSnapshotBlocks", "ebs:GetSnapshotBlock" ], "Resource": "arn:aws:ec2:*:*:snapshot/*", "Condition": { "StringLike": { "aws:ResourceTag/InspectorScan": "*" } } }, { "Sid": "CreateSnapshotsAnyInstanceOrVolume", "Effect": "Allow", "Action": "ec2:CreateSnapshots", "Resource": [ "arn:aws:ec2:*:*:instance/*", "arn:aws:ec2:*:*:volume/*" ] }, { "Sid": "DenyCreateSnapshotsOnExcludedInstances", "Effect": "Deny", "Action": "ec2:CreateSnapshots", "Resource": "arn:aws:ec2:*:*:instance/*", "Condition": { "StringEquals": { "ec2:ResourceTag/InspectorEc2Exclusion": "true" } } }, { "Sid": "CreateSnapshotsOnAnySnapshotOnlyWithTag", "Effect": "Allow", "Action": "ec2:CreateSnapshots", "Resource": "arn:aws:ec2:*:*:snapshot/*", "Condition": { "Null": { "aws:TagKeys": "false" }, "ForAllValues:StringEquals": { "aws:TagKeys": "InspectorScan" } } }, { "Sid": "CreateOnlyInspectorScanTagOnlyUsingCreateSnapshots", "Effect": "Allow", "Action": "ec2:CreateTags", "Resource": "arn:aws:ec2:*:*:snapshot/*", "Condition": { "StringLike": { "ec2:CreateAction": "CreateSnapshots" }, "Null": { "aws:TagKeys": "false" }, "ForAllValues:StringEquals": { "aws:TagKeys": "InspectorScan" } } }, { "Sid": "DeleteOnlySnapshotsTaggedForScanning", "Effect": "Allow", "Action": "ec2:DeleteSnapshot", "Resource": "arn:aws:ec2:*:*:snapshot/*", "Condition": { "StringLike": { "ec2:ResourceTag/InspectorScan": "*" } } }, { "Sid": "DenyKmsDecryptForExcludedKeys", "Effect": "Deny", "Action": "kms:Decrypt", "Resource": "arn:aws:kms:*:*:key/*", "Condition": { "StringEquals": { "aws:ResourceTag/InspectorEc2Exclusion": "true" } } }, { "Sid": "DecryptSnapshotBlocksVolContext", "Effect": "Allow", "Action": "kms:Decrypt", "Resource": "arn:aws:kms:*:*:key/*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" }, "StringLike": { "kms:ViaService": "ec2.*.amazonaws.com", "kms:EncryptionContext:aws:ebs:id": "vol-*" } } }, { "Sid": "DecryptSnapshotBlocksSnapContext", "Effect": "Allow", "Action": "kms:Decrypt", "Resource": "arn:aws:kms:*:*:key/*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" }, "StringLike": { "kms:ViaService": "ec2.*.amazonaws.com", "kms:EncryptionContext:aws:ebs:id": "snap-*" } } }, { "Sid": "DescribeKeysForEbsOperations", "Effect": "Allow", "Action": "kms:DescribeKey", "Resource": "arn:aws:kms:*:*:key/*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" }, "StringLike": { "kms:ViaService": "ec2.*.amazonaws.com" } } }, { "Sid": "ListKeyResourceTags", "Effect": "Allow", "Action": "kms:ListResourceTags", "Resource": "arn:aws:kms:*:*:key/*" } ] } ``` ------