我正在尝试创建一个用户策略来限制启动实例在特定区域和t1.micro类型,我尝试了几个解决方案,但到目前为止都没有。
即使这个不允许描述实例状态,我创建使用此策略来启动实例但我不能使用API来描述其状态,不确定是什么问题。任何帮助表示赞赏。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "..",
"Effect": "Allow",
"Action": [
"ec2:*"
],
"Resource": [
"arn:aws:ec2:us-west-2:*:*"
]
}
]
}
答案 0 :(得分:1)
我找到了this aws文档,它解释了什么api不支持资源级别权限,为什么我的问题中的策略不起作用,以下工作为我的情况后移动一些操作使用* for资源:
{
"Version": "2012-10-17",
"Statement": [
{ // This allows viewing instances if user login to dashboard (does not include cloudwatch, you can add it if you want)
"Effect": "Allow",
"Action": [
"ec2:Describe*"
],
"Resource": "*"
},
{ // Users are limited to starting instances that in west region, and only micro instances
"Effect": "Allow",
"Action": [
"ec2:RunInstances",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances"
],
"Resource": "arn:aws:ec2:us-west-2:*:instance/*",
"Condition": {
"StringEquals": {
"ec2:InstanceType": [
"t1.micro",
"t2.micro"
]
}
}
},
{ // allow user to launch instances using images in west region
"Effect": "Allow",
"Action": [
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:us-west-2:*:image/ami-*",
"arn:aws:ec2:us-west-2:*:subnet/*",
"arn:aws:ec2:us-west-2:*:network-interface/*",
"arn:aws:ec2:us-west-2:*:volume/*",
"arn:aws:ec2:us-west-2:*:key-pair/*",
"arn:aws:ec2:us-west-2:*:security-group/*"
]
},
{ // these don't fall under resource-level permission, so they need to be separated in order to users to launch instances
"Effect": "Allow",
"Action": [
"ec2:CreateSecurityGroup",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress"
],
"Resource": "*"
},
{ // This also cannot have resource-level permission, allows user to create images from existing running instances
"Effect": "Allow",
"Action": [
"ec2:CreateImage"
],
"Resource": [
"*"
]
}
]
}
希望这有助于其他人。