我已将以下自定义IAM作为内联策略附加到IAM用户,但是当我尝试通过用户登录启动EC2实例时,它无法正常工作。我的要求是允许用户仅启动t2.micro实例。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeImages",
"ec2:DescribeKeyPairs",
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:us-east-1:xxxxxxxxx:network-interface/*",
"arn:aws:ec2:us-east-1: xxxxxxxxx:volume/*",
"arn:aws:ec2:us-east-1: xxxxxxxxx:key-pair/*",
"arn:aws:ec2:us-east-1: xxxxxxxxx:security-group/*",
"arn:aws:ec2:us-east-1: xxxxxxxxx:subnet/*"
]
},
{
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:us-east-1: xxxxxxxxx:instance/*"
],
"Condition": {
"StringEquals": {
"ec2:InstanceType": "t2.micro"
}
}
}
]
}
对可能出现问题的任何猜测?
答案 0 :(得分:0)
我认为您的政策缺乏以下内容:
"arn:aws:ec2:us-east-1::image/ami-*"
或者,您可以定义特定图像:
"arn:aws:ec2:us-east-1::image/ami-xxxxxxxx"
答案 1 :(得分:0)
您可以允许ec2:*而不是限制“允许”,但添加拒绝除t2.micro以外的任何内容的政策:
{
"Action": [
"ec2:RunInstances"
],
"Effect": "Deny",
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"StringNotEquals": {
"ec2:InstanceType": [
"t2.micro"
]
}
}
},
但是,要小心,因为有人可以启动t2.micro,停止它,修改实例类型,然后重新启动它!
为防止这种情况,您可以添加:
{
"Action": [
"ec2:ModifyInstanceAttribute"
],
"Effect": "Deny",
"Resource": "*"
},