amazon-web-services - 不使用特定标签 KeyValue 时显式拒绝用户在 AWS 中运行实例

Question

我创建了一个策略，允许用户执行所有 ec2 操作，但限制用户运行实例和创建卷，并且仅当用户通过显式拒绝传递给定标签键值对时才终止实例。

1. ec2 完整权限策略

   {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Sid": "VisualEditor0",
               "Effect": "Allow",
               "Action": "ec2:*",
               "Resource": "*"
           }
       ]
   }
   

2. ec2 运行实例并创建卷，并根据条件显式拒绝。

   {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Sid": "VisualEditor0",
               "Effect": "Deny",
               "Action": [
                   "ec2:RunInstances",
                   "ec2:CreateVolume"
               ],
               "Resource": [
                   "arn:aws:ec2:*:*:instance/*",
                   "arn:aws:ec2:*:*:volume/*"
               ],
               "Condition": {
                   "ForAllValues:StringNotEquals": {
                       "aws:TagKeys": "Name",
                       "aws:RequestTag/Name": "${aws:username}"
                   }
               }
           },
           {
               "Sid": "VisualEditor1",
               "Effect": "Deny",
               "Action": "ec2:CreateTags",
               "Resource": [
                   "arn:aws:ec2:*:*:instance/*",
                   "arn:aws:ec2:*:*:volume/*"
               ],
               "Condition": {
                   "ForAllValues:StringNotEquals": {
                       "aws:RequestTag/Name": "${aws:username}"
                   },
                   "StringNotEquals": {
                       "ec2:CreateAction": "RunInstances",
                       "aws:TagKeys": "Name"
                   }
               }
           },
           {
               "Sid": "VisualEditor2",
               "Effect": "Deny",
               "Action": [
                   "ec2:DeleteVolume",
                   "ec2:TerminateInstances"
               ],
               "Resource": [
                   "arn:aws:ec2:*:*:instance/*",
                   "arn:aws:ec2:*:*:volume/*"
               ],
               "Condition": {
                   "ForAllValues:StringNotEquals": {
                       "ec2:ResourceTag/Name": "${aws:username}"
                   }
               }
           }
       ]
   }
   

我的要求是限制用户授予所有 ec2 权限，并仅在传递标签键“名称”和标签值作为“他们的 aws 用户名”时限制运行实例。 但是当此策略应用于用户时，它限制他们仅在传递标记键“Name”时运行，但不限制标记值“他们的 aws 用户名 ${aws:username}”。 但当用户尝试终止实例时，相同的限制也可以正常工作，即用户无法使用标签键“Name”和标签值“他们的 aws 用户名 ${aws:username}”终止实例

策略中可能存在什么错误，即允许用户使用 tagkey“Name”和 tagValue 的任何值运行实例，甚至 null 也允许

Answer 1

您可以使用以下 IAM 策略并根据您的喜好进行编辑。我在生产中使用它并且工作完美。仅当实例被标记为列表中存在的值时，它才会启动实例。:

这里，Key = 环境，Value = 下面提到的

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "TheseActionsDontSupportResourceLevelPermissions",
            "Effect": "Allow",
            "Action": [
                "ec2:Describe*"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "ec2:RunInstances",
            "Resource": [
                "arn:aws:ec2:*::image/ami-*",
                "arn:aws:ec2:*:ACCOUNT_ID:volume/*",
                "arn:aws:ec2:*:ACCOUNT_ID:subnet/*",
                "arn:aws:ec2:*:ACCOUNT_ID:network-interface/*",
                "arn:aws:ec2:*:ACCOUNT_ID:security-group/*",
                "arn:aws:ec2:*:ACCOUNT_ID:key-pair/*"
            ]
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Deny",
            "Action": "ec2:RunInstances",
            "Resource": "arn:aws:ec2:*:ACCOUNT_ID:instance/*",
            "Condition": {
                "StringNotLike": {
                    "aws:RequestTag/Environment": [
                        "Testing",
                        "Staging",
                        "Production",
                        "Nightly",
                        "Sandbox",
                        "LoadTesting"
                    ]
                }
            }
        }
    ]
}