我想将AWS策略附加到IAM用户,这仅使EC2上的start-instance和stop-instance使用AWS CLI成为可能。
它通过使用AmazonEC2FullAccess策略起作用,但我想限制它。
我混合使用了startInstances,stopInstances,describeInstances,...,但是没有用。
我正在使用aws ec2 start-instance --instance-ids i-123。
有什么想法吗?
{
"Version": "2012-10-17",
"Statement": [
{
"Action": ["cloudwatch:*","ec2:Describe*"],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": ["ec2:StartInstances","ec2:StopInstances"],
"Effect": "Allow",
"Resource": "arn:aws:ec2:eu-central-1b:123412341234:instance/i-123412341234"
}
]
}
答案 0 :(得分:0)
允许 IAM用户使用“ ec2:StartInstances”和“ ec2:StopInstances”的策略如下:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": ["cloudwatch:*","ec2:Describe*"],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": ["ec2:StartInstances","ec2:StopInstances"],
"Effect": "Allow",
"Resource": "arn:aws:ec2:us-east-1:123456789012:instance/*"
}
]
}
在单独的语句中查看cloudwatch和ec2:Describe操作的方式,它们过去仅支持“ *” 的资源。您会看到AWS做同样的事情,将EC2 操作与“描述和标记”分开:https://aws.amazon.com/premiumsupport/knowledge-center/iam-ec2-resource-tags/
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:*",
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/UserName": "${aws:username}"
}
}
},
{
"Effect": "Allow",
"Action": "ec2:Describe*",
"Resource": "*"
},
{
"Effect": "Deny",
"Action": [
"ec2:CreateTags",
"ec2:DeleteTags"
],
"Resource": "*"
}
]
}