我想用策略创建一个IAM角色,使其只能终止EC2实例,并且可以影响(即终止)的实例属于那些特定标签。
当前,我正在使用AmazonEC2FullAccess,它提供的权限比我希望提供的更多。我希望该策略 不 具有创建或停止EC2的能力。
所以我的问题是,如何构建仅允许终止EC2且仅终止具有特定标签的EC2的IAM策略(即此策略的JSON是什么)?
作为参考,AmazonEC2FullAccess策略如下所示
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "ec2:*",
"Effect": "Allow",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "elasticloadbalancing:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "cloudwatch:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "autoscaling:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": [
"autoscaling.amazonaws.com",
"ec2scheduled.amazonaws.com",
"elasticloadbalancing.amazonaws.com",
"spot.amazonaws.com",
"spotfleet.amazonaws.com",
"transitgateway.amazonaws.com"
]
}
}
}
]
}