Question

我正在尝试应用策略以允许IAM用户仅访问EC2的特定实例。这是我申请的政策：

{
"Statement": [
    {
        "Action": [
            "ec2:StartInstances",
            "ec2:StopInstances",
            "ec2:RebootInstances",
            "ec2:TerminateInstances"
        ],
        "Resource": [
            "arn:aws:ec2:us-east-1:my_account_id:instance/my_instance_id"
        ],
        "Effect": "Allow"
    }
]
}

但是，用户无法在仪表板上看到任何EC2实例。我做错了什么？

Answer 1

此博客文章解决了您的确切问题：https://blogs.aws.amazon.com/security/post/Tx2KPWZJJ4S26H6/Demystifying-EC2-Resource-Level-Permissions

它使用此策略作为示例（与您的相同，除了*而不是特定的实例ID）：

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "TheseActionsSupportResourceLevelPermissions",
            "Effect": "Allow",
            "Action": [
                "ec2:RunInstances",
                "ec2:TerminateInstances",
                "ec2:StopInstances",
                "ec2:StartInstances"
            ],
            "Resource": "arn:aws:ec2:us-east-1:accountid:instance/*"
        }
    ]
}

并按如下方式对其进行更新，以解决未经授权的问题：

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "TheseActionsDontSupportResourceLevelPermissions",
            "Effect": "Allow",
            "Action": ["ec2:Describe*"],
            "Resource": "*"
        },
        {
            "Sid": "TheseActionsSupportResourceLevelPermissions",
            "Effect": "Allow",
            "Action": [
                "ec2:RunInstances",
                "ec2:TerminateInstances",
                "ec2:StopInstances",
                "ec2:StartInstances"
            ],
            "Resource": "arn:aws:ec2:us-east-1:accountid:instance/*"
        }
    ]
}

分配IAM用户只能访问一个EC2实例

1 个答案: