我正在尝试使用此策略来限制用户将任何实例启动到指定的VPC中。但是,我仍然可以启动实例!为什么这项政策不起作用?显然,资源资源":" arn:aws:ec2 ::: vpc // vpc-xyz在我的生产模板中有实际值
"Statement": [
{
"Action": [
"ec2:Run*",
"ec2:Terminate*",
"ec2:Cancel*",
"ec2:Create*",
"ec2:Delete*",
"ec2:Modify*",
"ec2:Start*",
"ec2:Stop*"
],
"Resource": "arn:aws:ec2:<REGION>:<ACCOUNT-ID>:vpc/<VPC-ID>/vpc-xyz",
"Effect": "Deny",
"Sid": "DenyInstanceActionsForVPC"
},
{
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Project": [
"Cloud Services",
"MDH",
"Shine"
]
}
},
"Action": [
"ec2:Run*",
"ec2:Terminate*",
"ec2:Cancel*",
"ec2:Create*",
"ec2:Delete*",
"ec2:Modify*",
"ec2:Start*",
"ec2:Stop*"
],
"Resource": "*",
"Effect": "Deny",
"Sid": "DenyInstanceActionsForCStaggedResources"
}
]
}
答案 0 :(得分:0)
第一项。您的政策不允许。因此,你不应该做任何事情。首先解决这个问题。
接下来修改您的第一个语句,如下所示:
{
"Sid": "DenyInstanceActionsForVPC",
"Effect": "Deny",
"Action": [
"ec2:Run*",
"ec2:Terminate*",
"ec2:Cancel*",
"ec2:Create*",
"ec2:Delete*",
"ec2:Modify*",
"ec2:Start*",
"ec2:Stop*"
],
"Resource": "arn:aws:ec2:REGION:ACCOUNTNUMBER:subnet/*",
"Condition": {
"StringEquals": {
"ec2:vpc": "arn:aws:ec2:REGION:ACCOUNTNUMBER:vpc/VPC-ID"
}
}
},