我创建了一个策略,允许用户执行所有 ec2 操作,但限制用户运行实例和创建卷,并且仅当用户通过显式拒绝传递给定标签键值对时才终止实例。
ec2 完整权限策略
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "ec2:*", "Resource": "*" } ] }
ec2 运行实例并创建卷,并根据条件显式拒绝。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Deny", "Action": [ "ec2:RunInstances", "ec2:CreateVolume" ], "Resource": [ "arn:aws:ec2:*:*:instance/*", "arn:aws:ec2:*:*:volume/*" ], "Condition": { "ForAllValues:StringNotEquals": { "aws:TagKeys": "Name", "aws:RequestTag/Name": "${aws:username}" } } }, { "Sid": "VisualEditor1", "Effect": "Deny", "Action": "ec2:CreateTags", "Resource": [ "arn:aws:ec2:*:*:instance/*", "arn:aws:ec2:*:*:volume/*" ], "Condition": { "ForAllValues:StringNotEquals": { "aws:RequestTag/Name": "${aws:username}" }, "StringNotEquals": { "ec2:CreateAction": "RunInstances", "aws:TagKeys": "Name" } } }, { "Sid": "VisualEditor2", "Effect": "Deny", "Action": [ "ec2:DeleteVolume", "ec2:TerminateInstances" ], "Resource": [ "arn:aws:ec2:*:*:instance/*", "arn:aws:ec2:*:*:volume/*" ], "Condition": { "ForAllValues:StringNotEquals": { "ec2:ResourceTag/Name": "${aws:username}" } } } ] }
我的要求是限制用户授予所有 ec2 权限,并仅在传递标签键“名称”和标签值作为“他们的 aws 用户名”时限制运行实例。 但是当此策略应用于用户时,它限制他们仅在传递标记键“Name”时运行,但不限制标记值“他们的 aws 用户名 ${aws:username}”。 但当用户尝试终止实例时,相同的限制也可以正常工作,即用户无法使用标签键“Name”和标签值“他们的 aws 用户名 ${aws:username}”终止实例
策略中可能存在什么错误,即允许用户使用 tagkey“Name”和 tagValue 的任何值运行实例,甚至 null 也允许
最佳答案
您可以使用以下 IAM 策略并根据您的喜好进行编辑。我在生产中使用它并且工作完美。仅当实例被标记为列表中存在的值时,它才会启动实例。:
这里,Key = 环境
,Value = 下面提到的
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "TheseActionsDontSupportResourceLevelPermissions",
"Effect": "Allow",
"Action": [
"ec2:Describe*"
],
"Resource": "*"
},
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:*::image/ami-*",
"arn:aws:ec2:*:ACCOUNT_ID:volume/*",
"arn:aws:ec2:*:ACCOUNT_ID:subnet/*",
"arn:aws:ec2:*:ACCOUNT_ID:network-interface/*",
"arn:aws:ec2:*:ACCOUNT_ID:security-group/*",
"arn:aws:ec2:*:ACCOUNT_ID:key-pair/*"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:*:ACCOUNT_ID:instance/*",
"Condition": {
"StringNotLike": {
"aws:RequestTag/Environment": [
"Testing",
"Staging",
"Production",
"Nightly",
"Sandbox",
"LoadTesting"
]
}
}
}
]
}
关于amazon-web-services - 不使用特定标签 KeyValue 时显式拒绝用户在 AWS 中运行实例,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/51929870/