最初在https://forums.aws.amazon.com/thread.jspa?messageID=825006#825006
上询问我正在尝试将某些操作限制为特定来源。例如,EC2和Cloudformation只能从某个源IP地址访问。我可以通过以下政策实现这一目标:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": ["ec2:*", "cloudformation:*"],
"Resource": "*",
"Condition": {
"NotIpAddress": { "aws:SourceIp": ["1.2.3.4"] }
}
}
]
}
这很好用(假设ec2和cloudformation上有一个允许用户没有条件),因为我现在可以从源IP 1.2.3.4
创建/查看EC2实例,但是从其他来源尝试错误。
但是,如果我尝试创建包含EC2实例的Cloudformation堆栈,则RunInstance操作会继承我的用户帐户,但不会继承我的源IP。我想更新条件以允许从Deny
中排除Cloudformation源。我试过这个:
"Condition": {
"NotIpAddress": { "aws:SourceIp": ["1.2.3.4"] },
"StringNotEquals": {"aws:SourceIp":"cloudformation.amazonaws.com" }
}
}
我还在这些操作上尝试了2个Allow
语句,每个语句只有1个条件 - IpAddress
包含sourceIp,第2个允许语句包含"StringEquals" : {"aws:SourceIp":"cloudformation.amazonaws.com"}
这些操作。当CloudFormation尝试执行RunInstances操作时,我仍然会收到错误。
此处显示失败的CloudTrail事件:
{
"eventVersion": "1.05",
"userIdentity": {
"type": "AssumedRole",
"principalId": "REDACTED",
"arn": "REDACTED",
"accountId": "REDACTED",
"sessionContext": {
"attributes": {
"creationDate": "2018-01-19T07:47:40Z"
},
"sessionIssuer": {
"type": "Role",
"principalId": "REDACTED",
"arn": "arn:aws:iam::REDACTED",
"accountId": "REDACTED",
"userName": "REDACTED"
}
},
"invokedBy": "cloudformation.amazonaws.com"
},
"eventTime": "2018-01-19T08:10:39Z",
"eventSource": "ec2.amazonaws.com",
"eventName": "RunInstances",
"awsRegion": "REDACTED",
"sourceIPAddress": "cloudformation.amazonaws.com",
"userAgent": "cloudformation.amazonaws.com",
"errorCode": "Client.UnauthorizedOperation",
"errorMessage": "You are not authorized to perform this operation. Encoded authorization failure message: REDACTED",
"requestParameters": { <details of instance here> },
"responseElements": null,
"requestID": "REDACTED",
"eventID": "REDACTED",
"eventType": "AwsApiCall",
"recipientAccountId": "REDACTED"
}
我在aws:SourceIp
,aws:SourceIpAddress
,aws:UserAgent
上尝试了字符串匹配 - 如何让ec2操作进行云端映射?
感谢。