强制标记值

时间:2017-10-23 20:51:10

标签: amazon-web-services amazon-ec2 amazon

我正在尝试一个策略来预定义标记值,以便在启动i时不创建必需的标记及其值时不应创建实例,e实例应该有costcenter和dept作为标记和值应该是115和生产。然后只有我们应该能够启动实例。有人可以帮我这个政策。

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:Describe*",
        "ec2:GetConsole*"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ec2:RunInstances"
      ],
      "Resource": [
        "arn:aws:ec2:region::image/*",
        "arn:aws:ec2:region:account:subnet/*",
        "arn:aws:ec2:region:account:network-interface/*",
        "arn:aws:ec2:region:account:security-group/*",
        "arn:aws:ec2:region:account:key-pair/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": "ec2:RunInstances",
      "Resource": [
        "arn:aws:ec2:region:account:instance/*"
      ],
      "Condition": {
        "StringEquals": {
          "aws:RequestTag/costcenter": "115",
          "aws:RequestTag/dept": "prod"
        },
        "ForAllValues:StringEquals": {
          "aws:TagKeys": [
            "costcenter",
            "dept"
          ]
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": [
        "ec2:CreateTags"
      ],
      "Resource": "arn:aws:ec2:region:account:*/*",
      "Condition": {
        "StringEquals": {
          "ec2:CreateAction": "RunInstances"
        }
      }
    }
  ]
}

1 个答案:

答案 0 :(得分:0)

如果只有一个标签,你可以试试这个拒绝动作的样本,你可以用多个策略的多个块状态修改代码代码:

{
    "Sid": "AllowLaunchOnlyWithRequiredTags1",
    "Effect": "Deny",
    "Action": "ec2:RunInstances",
    "Resource": "arn:aws:ec2:us-east-1:accountid:instance/*",
    "Condition": {
        "Null": {"aws:RequestTag/costcenter": "true"}
    }
},
{
    "Sid": "AllowLaunchOnlyWithRequiredTags2",
    "Effect": "Deny",
    "Action": "ec2:RunInstances",
    "Resource": "arn:aws:ec2:us-east-1:accountid:instance/*",
    "Condition": {
        "Null": {"aws:RequestTag/stack": "true"}
    }
}

此外,您可以将标记强制列表列为:

"Condition": {
    "StringEquals": {
      "aws:RequestTag/costcenter": "115",
      "aws:RequestTag/stack": "prod"
     },
     "ForAllValues:StringEquals": {
         "aws:TagKeys": ["costcenter","stack"]
     }
   }

enter image description here

  

ForAllValues限定符要求列出所有请求的值   在政策中

另一种方法您可以使用StringLikeStringNotLike执行某些操作,但如果适用于您,则仅限于通配符。

喜欢的东西:

"Statement": [
{
  "Sid": "DenyMissingTags",
  "Effect": "Deny",
  "Action": "ec2:RunInstances",
  "Resource": "arn:aws:ec2:us-east-1:accountid:instance/*",
  "Condition": {
    "StringLike": [
      "aws:RequestTag/costcenter": "*",
      "aws:RequestTag/stack": "*"
      ]
    }
  }
]

According to AWS Documents for ForAllValues

相关问题
最新问题