亚马逊特定图像启动的限制许可

时间:2015-06-18 15:37:21

标签: amazon-web-services amazon-ec2

我创建了一个用户并为他提供了以下权限。我希望该用户只能启动具有特定标记键/值的AMI(" Open")。但是用户得到"初始化失败"在从图像启动实例期间。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1434563026000",
            "Effect": "Allow",
            "Action": "ec2:RunInstances",
            "Condition": {
                "StringEquals": {
                    "ec2:ResourceTag/ImgEnv": "Open"
                }
            },
            "Resource": [
                "arn:aws:ec2:*"
            ]
        },
        {

            "Effect": "Allow",
            "Action": ["ec2:Describe*",
              "ec2:*Vpc*",
              "ec2:*Subnet*",
              "ec2:*Gateway*",
              "ec2:*Vpn*",
              "ec2:*Route*",
              "ec2:*Address*",
              "ec2:*SecurityGroup*",
              "ec2:*NetworkAcl*",
              "ec2:*DhcpOptions*" ],

            "Resource": "*"
        }
    ]
}

1 个答案:

答案 0 :(得分:0)

此处有一项适用于您的政策(请务必使用您的帐户ID替换'帐户,如果您未使用us-east-1,请更改区域): 

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action": "ec2:RunInstances",
        "Resource": [
            "arn:aws:ec2:us-east-1::image/ami-*"
        ],
        "Condition": {
            "StringEquals": {
                "ec2:ResourceTag/ImgEnv": "Open"
            }
        }
    },
    {
        "Effect": "Allow",
        "Action": "ec2:RunInstances",
        "Resource": [
            "arn:aws:ec2:us-east-1:account:instance/*",
            "arn:aws:ec2:us-east-1:account:volume/*",
            "arn:aws:ec2:us-east-1:account:key-pair/*",
            "arn:aws:ec2:us-east-1:account:security-group/*"
        ]
    }
]

}

我认为构建这样的策略是必要的,因为并非所有RunInstances上下文中的资源都需要(或被标记)。只是图像。

我在检查和测试这个答案时发现http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ExamplePolicies_EC2.html很有用。

P.S。我专注于您的RunInstances权限。您仍应添加更多策略以允许所需的Describe /其他API,例如

    {

        "Effect": "Allow",
        "Action": ["ec2:Describe*",
          "ec2:*Vpc*",
          "ec2:*Subnet*",
          "ec2:*Gateway*",
          "ec2:*Vpn*",
          "ec2:*Route*",
          "ec2:*Address*",
          "ec2:*SecurityGroup*",
          "ec2:*NetworkAcl*",
          "ec2:*DhcpOptions*" ],

        "Resource": "*"
    }
相关问题
最新问题