我创建了一个custom IAM policy来限制基于标签的用户访问权限,例如Resource tag Name有任何值测试,然后用户可以start stop reboot该实例。
这是我的政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "TheseActionsDontSupportResourceLevelPermissions",
"Effect": "Allow",
"Action": ["ec2:Describe*"],
"Resource": "*"
},
{
"Sid": "TheseActionsSupportResourceLevelPermissionsWithTags",
"Effect": "Allow",
"Action": [
"ec2:TerminateInstances",
"ec2:StopInstances",
"ec2:StartInstances"
],
"Resource": "arn:aws:ec2:us-east-1:acct_no:instance/*",
"Condition": {
"ForAnyValue:StringEquals": {
"ec2:ResourceTag/Name": "Test"
}
}
}
]
}
但是当我应用策略时,用户无法执行指定的操作。
请帮助。
谢谢
答案 0 :(得分:3)
ForAnyValue对于您的condition用例不合适Amazon IAM,因为它仅适用于集合(有关详细信息,请参阅Creating a Condition That Tests Multiple Key Values (Set Operations)) - 只需删除{{1}前缀应该产生一个工作策略,参见例如Resource-level Permissions for EC2 – Controlling Management Access on Specific Instances中的示例:
ForAnyValue: