将AMI限制为VPC以在AWS中启动EC2实例

时间:2018-07-08 02:35:15

标签: amazon-web-services amazon-iam

我的帐户中有两个VPC。通过使用IAM策略,我们将EC2 AMI限制为AMI的选定列表。这是政策。 { "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:RunInstances" ], "Effect": "Deny", "NotResource": [ "arn:aws:ec2:*:*:instance/*", "arn:aws:ec2:*:*:subnet/*", "arn:aws:ec2:*:*:volume/*", "arn:aws:ec2:*:*:network-interface/*", "arn:aws:ec2:*:*:key-pair/*", "arn:aws:ec2:*:*:security-group/*", "arn:aws:ec2:*::snapshot/*", "arn:aws:ec2:*::image/ami-12ab3456", "arn:aws:ec2:*::image/ami-34de5678" ] } ] }

现在我只想对一个VPC设置此限制。对于其他VPC,我不想对AMI进行任何限制。为了实现此目的,我对IAM政策进行了以下更改

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "EC2RunInstanceForVPC2",
            "Action": "ec2:RunInstances",
            "Effect": "Deny",
            "NotResource": [
                "arn:aws:ec2:*:*:instance/*",
                "arn:aws:ec2:*:*:subnet/subnet-1a2bcd34",
                "arn:aws:ec2:*:*:volume/*",
                "arn:aws:ec2:*:*:network-interface/*",
                "arn:aws:ec2:*:*:key-pair/*",
                "arn:aws:ec2:*:*:security-group/*",
                "arn:aws:ec2:*::snapshot/*",
                "arn:aws:ec2:*:*:placement-group/*",
                "arn:aws:ec2:*::image/ami-*"
            ]
        },
        {
            "Sid": "EC2RunInstanceForVPC1",
            "Action": "ec2:RunInstances",
            "Effect": "Deny",
            "NotResource": [
                "arn:aws:ec2:*:*:instance/*",
                "arn:aws:ec2:*:*:subnet/subnet-a1bc23d4",
                "arn:aws:ec2:*:*:volume/*",
                "arn:aws:ec2:*:*:network-interface/*",
                "arn:aws:ec2:*:*:key-pair/*",
                "arn:aws:ec2:*:*:security-group/*",
                "arn:aws:ec2:*::snapshot/*",
                "arn:aws:ec2:*::image/ami-12ab3456",
                "arn:aws:ec2:*::image/ami-34de5678"
            ]
        }
    ]
}

但这不起作用。有人可以通过IAM策略帮助我获得此权限。

关于, Veeresham

1 个答案:

答案 0 :(得分:0)

假设用户具有EC2完全访问权限。您可以添加其他自定义策略,以将一个VPC限制为指定的AMI ID。

这是用于在指定的VPC中限制AMI的自定义IAM策略:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": "ec2:RunInstances",
            "Resource": [
                "arn:aws:ec2:REGION:ACCOUNTNUMBER:image/AMIID1",
                "arn:aws:ec2:REGION:ACCOUNTNUMBER:image/AMIID2"
            ],
            "Condition": {
                "ArnNotEquals": {
                    "ec2:vpc": "arn:aws:ec2:REGION:ACCOUNTNUMBER:vpc/RESTRICTED_VPCID"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": "ec2:RunInstances",
            "Resource": [
                "arn:aws:ec2:REGION:ACCOUNTNUMBER:image/ami-*",
                "arn:aws:ec2:REGION:ACCOUNTNUMBER:network-interface/*",
                "arn:aws:ec2:REGION:ACCOUNTNUMBER:instance/*",
                "arn:aws:ec2:REGION:ACCOUNTNUMBER:subnet/*",
                "arn:aws:ec2:REGION:ACCOUNTNUMBER:volume/*",
                "arn:aws:ec2:REGION:ACCOUNTNUMBER:key-pair/*",
                "arn:aws:ec2:REGION:ACCOUNTNUMBER:security-group/*"
            ]
        }
    ]
}

注意:在上述政策中,您需要更改以下内容。

  • 区域是AWS区域
  • ACCOUNTNUMBER 是AWS帐号
  • AMIID1 AMIID2 是两个AMIID
  • RESTRICTED_VPCID 是您要限制的VPC ID。
相关问题
最新问题