我创建了一个策略,该策略允许用户执行所有ec2操作,但仅当用户通过给定的标记键值对明确拒绝时,才允许用户运行实例和创建卷并终止实例。
ec2完全权限策略
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ec2:*",
"Resource": "*"
}
]
}
ec2运行实例并创建带有条件的显式拒绝卷。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Deny",
"Action": [
"ec2:RunInstances",
"ec2:CreateVolume"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*"
],
"Condition": {
"ForAllValues:StringNotEquals": {
"aws:TagKeys": "Name",
"aws:RequestTag/Name": "${aws:username}"
}
}
},
{
"Sid": "VisualEditor1",
"Effect": "Deny",
"Action": "ec2:CreateTags",
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*"
],
"Condition": {
"ForAllValues:StringNotEquals": {
"aws:RequestTag/Name": "${aws:username}"
},
"StringNotEquals": {
"ec2:CreateAction": "RunInstances",
"aws:TagKeys": "Name"
}
}
},
{
"Sid": "VisualEditor2",
"Effect": "Deny",
"Action": [
"ec2:DeleteVolume",
"ec2:TerminateInstances"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*"
],
"Condition": {
"ForAllValues:StringNotEquals": {
"ec2:ResourceTag/Name": "${aws:username}"
}
}
}
]
}
我的要求是限制用户仅将标签键“名称”和标签值作为“其aws用户名”传递时,才授予所有ec2权限,并限制运行实例。 但是,当将此策略应用于用户时,它将限制他们仅在他们通过标记键“名称”时才能运行,而不受标记值“其aws用户名$ {aws:username}”的限制。 但是当用户尝试终止实例时,即用户无法终止具有标签键“名称”和标签值“其aws用户名$ {aws:username}”的实例时,同样的限制也可以正常工作
策略中的错误可能是什么,那就是允许用户使用tagkey“ Name”和tagValue的任何值来运行实例,甚至null也允许
答案 0 :(得分:1)
您可以使用以下IAM策略并根据自己的喜好进行编辑。我在生产中使用它,并且可以完美地工作。如果实例标记有列表中的值,它将启动实例。
在这里,键= Environment
,值= mentioned below
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "TheseActionsDontSupportResourceLevelPermissions",
"Effect": "Allow",
"Action": [
"ec2:Describe*"
],
"Resource": "*"
},
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:*::image/ami-*",
"arn:aws:ec2:*:ACCOUNT_ID:volume/*",
"arn:aws:ec2:*:ACCOUNT_ID:subnet/*",
"arn:aws:ec2:*:ACCOUNT_ID:network-interface/*",
"arn:aws:ec2:*:ACCOUNT_ID:security-group/*",
"arn:aws:ec2:*:ACCOUNT_ID:key-pair/*"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:*:ACCOUNT_ID:instance/*",
"Condition": {
"StringNotLike": {
"aws:RequestTag/Environment": [
"Testing",
"Staging",
"Production",
"Nightly",
"Sandbox",
"LoadTesting"
]
}
}
}
]
}
答案 1 :(得分:1)
它不起作用,因为以下块正在实现逻辑或。因此,如果满足任何条件,实例将启动。您必须通过将条件键分成两个不同的块来创建逻辑“与”,如here所述。
"Condition": {
"ForAllValues:StringNotEquals": {
"aws:TagKeys": "Name",
"aws:RequestTag/Name": "${aws:username}"
}
}