如何在IAM策略中限制ec2:RunInstances的EC2 EBS卷大小?

时间:2018-03-05 06:32:50

标签: amazon-web-services amazon-ec2 amazon-iam

我现在拥有的IAM策略能够限制实例类型,但我还希望能够将EBS卷大小限制为低于某个值。我如何修改以下JSON IAM策略?我最好想要一些条件"条件":#34; IntegerLessThanOrEquals",但手动指定每个数字是可以接受的,因为我需要将它限制为10 GiB。 / p> 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AdminPermissions",
            "Effect": "Allow",
            "Action": [
                "ssm:SendCommand",
                "ssm:GetCommandInvocation",
                "ec2:StopInstances",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeNetworkInterfaces",
                "ec2:CreateTags"
            ],
            "Resource": "*"
        },
        {
            "Sid": "RunInstanceResourcePermissions",
            "Effect": "Allow",
            "Action": [
                "ec2:RunInstances"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:network-interface/*",
                "arn:aws:ec2:*:*:security-group/*",
                "arn:aws:ec2:*:*:subnet/*",
                "arn:aws:ec2:*:*:volume/*",
                "arn:aws:ec2:*::image/*"
            ]
        },
        {
            "Sid": "LimitInstanceTypes",
            "Effect": "Allow",
            "Action": [
                "ec2:RunInstances"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:instance/*"
            ],
            "Condition": {
                "StringEquals": {
                    "ec2:InstanceType": [
                        "t2.nano",
                        "t2.micro",
                        "t2.small",
                        "t2.medium"
                    ]
                }
            }
        }
    ]
}

编辑:回答

这是我得到的解决方案。声明" LimitInstanceVolumeSize"是新的,资源" arn:aws:ec2::volume / *"被移到了它。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AdminPermissions",
            "Effect": "Allow",
            "Action": [
                "ssm:SendCommand",
                "ssm:GetCommandInvocation",
                "ec2:StopInstances",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeNetworkInterfaces",
                "ec2:CreateTags"
            ],
            "Resource": "*"
        },
        {
            "Sid": "RunInstanceResourcePermissions",
            "Effect": "Allow",
            "Action": [
                "ec2:RunInstances"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:network-interface/*",
                "arn:aws:ec2:*:*:security-group/*",
                "arn:aws:ec2:*:*:subnet/*",
                "arn:aws:ec2:*::image/*"
            ]
        },
        {
            "Sid": "LimitInstanceVolumeSize",
            "Effect": "Allow",
            "Action": [
                "ec2:RunInstances"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:volume/*"
            ],
            "Condition": {
                "NumericLessThanEquals": {
                    "ec2:VolumeSize": "16"
                }
            }
        },
        {
            "Sid": "LimitInstanceTypes",
            "Effect": "Allow",
            "Action": [
                "ec2:RunInstances"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:instance/*"
            ],
            "Condition": {
                "StringEquals": {
                    "ec2:InstanceType": [
                        "t2.nano",
                        "t2.micro",
                        "t2.small",
                        "t2.medium"
                    ]
                }
            }
        }
    ]
}

1 个答案:

答案 0 :(得分:1)

您可以使用条件密钥ec2:VolumeSize来实现此目标,资源为arn:aws:ec2:region:account:volume/*,API操作为AttachVolume

由于

相关问题
最新问题