这是我试图允许创建实例的策略,只有当它有标签costcenter和dept值115和prod时。但是当我测试它时,即使没有这些标签也会创建实例
{
"Sid": "AllowTaggedInstances",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:us-east-1:729964090428:instance/*",
"Condition": {
"StringEquals": {
"aws:RequestTag/costcenter": "115",
"aws:RequestTag/dept": "prod"
},
"ForAllValues:StringEquals": {
"aws:TagKeys": [
"costcenter",
"dept"
]
}
}
},
答案 0 :(得分:0)
您显示的策略没有足够的权限来创建实例。这意味着您有另一个覆盖此策略或角色的策略或角色。
在您的政策中,将“RequestTag”替换为“ResourceTag”。
注意:使用条件的最佳策略不使用“allow if this”,而是使用“deny if not this”。拒绝将覆盖所有允许。
这是一个帮助您使用ResourceTags的链接:
答案 1 :(得分:0)
您的政策没有足够的权限和政策来限制。
如果您想允许用户使用标记costcenter:115 and dept:prod创建新实例,请尝试以下政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"ec2:GetConsole*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:region::image/*",
"arn:aws:ec2:region:account:subnet/*",
"arn:aws:ec2:region:account:network-interface/*",
"arn:aws:ec2:region:account:security-group/*",
"arn:aws:ec2:region:account:key-pair/*"
]
},
{
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:region:account:instance/*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/costcenter": "115",
"aws:RequestTag/dept": "prod"
},
"ForAllValues:StringEquals": {
"aws:TagKeys": [
"costcenter",
"dept"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": "arn:aws:ec2:region:account:*/*",
"Condition": {
"StringEquals": {
"ec2:CreateAction": "RunInstances"
}
}
}
]
}