不使用特定标签KeyValue时,明确拒绝用户在AWS中运行实例

时间:2018-08-20 11:32:18

标签: amazon-web-services amazon-ec2 amazon-iam

我创建了一个策略,该策略允许用户执行所有ec2操作,但仅当用户通过给定的标记键值对明确拒绝时,才允许用户运行实例和创建卷并终止实例。

  1. ec2完全权限策略

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "VisualEditor0",
                "Effect": "Allow",
                "Action": "ec2:*",
                "Resource": "*"
            }
        ]
    }
    
  2. ec2运行实例并创建带有条件的显式拒绝卷。

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "VisualEditor0",
                "Effect": "Deny",
                "Action": [
                    "ec2:RunInstances",
                    "ec2:CreateVolume"
                ],
                "Resource": [
                    "arn:aws:ec2:*:*:instance/*",
                    "arn:aws:ec2:*:*:volume/*"
                ],
                "Condition": {
                    "ForAllValues:StringNotEquals": {
                        "aws:TagKeys": "Name",
                        "aws:RequestTag/Name": "${aws:username}"
                    }
                }
            },
            {
                "Sid": "VisualEditor1",
                "Effect": "Deny",
                "Action": "ec2:CreateTags",
                "Resource": [
                    "arn:aws:ec2:*:*:instance/*",
                    "arn:aws:ec2:*:*:volume/*"
                ],
                "Condition": {
                    "ForAllValues:StringNotEquals": {
                        "aws:RequestTag/Name": "${aws:username}"
                    },
                    "StringNotEquals": {
                        "ec2:CreateAction": "RunInstances",
                        "aws:TagKeys": "Name"
                    }
                }
            },
            {
                "Sid": "VisualEditor2",
                "Effect": "Deny",
                "Action": [
                    "ec2:DeleteVolume",
                    "ec2:TerminateInstances"
                ],
                "Resource": [
                    "arn:aws:ec2:*:*:instance/*",
                    "arn:aws:ec2:*:*:volume/*"
                ],
                "Condition": {
                    "ForAllValues:StringNotEquals": {
                        "ec2:ResourceTag/Name": "${aws:username}"
                    }
                }
            }
        ]
    }
    

我的要求是限制用户仅将标签键“名称”和标签值作为“其aws用户名”传递时,才授予所有ec2权限,并限制运行实例。 但是,当将此策略应用于用户时,它将限制他们仅在他们通过标记键“名称”时才能运行,而不受标记值“其aws用户名$ {aws:username}”的限制。 但是当用户尝试终止实例时,即用户无法终止具有标签键“名称”和标签值“其aws用户名$ {aws:username}”的实例时,同样的限制也可以正常工作

策略中的错误可能是什么,那就是允许用户使用tagkey“ Name”和tagValue的任何值来运行实例,甚至null也允许

2 个答案:

答案 0 :(得分:1)

您可以使用以下IAM策略并根据自己的喜好进行编辑。我在生产中使用它,并且可以完美地工作。如果实例标记有列表中的值,它将启动实例。

在这里,键= Environment,值= mentioned below

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "TheseActionsDontSupportResourceLevelPermissions",
            "Effect": "Allow",
            "Action": [
                "ec2:Describe*"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "ec2:RunInstances",
            "Resource": [
                "arn:aws:ec2:*::image/ami-*",
                "arn:aws:ec2:*:ACCOUNT_ID:volume/*",
                "arn:aws:ec2:*:ACCOUNT_ID:subnet/*",
                "arn:aws:ec2:*:ACCOUNT_ID:network-interface/*",
                "arn:aws:ec2:*:ACCOUNT_ID:security-group/*",
                "arn:aws:ec2:*:ACCOUNT_ID:key-pair/*"
            ]
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Deny",
            "Action": "ec2:RunInstances",
            "Resource": "arn:aws:ec2:*:ACCOUNT_ID:instance/*",
            "Condition": {
                "StringNotLike": {
                    "aws:RequestTag/Environment": [
                        "Testing",
                        "Staging",
                        "Production",
                        "Nightly",
                        "Sandbox",
                        "LoadTesting"
                    ]
                }
            }
        }
    ]
}

答案 1 :(得分:1)

它不起作用,因为以下块正在实现逻辑或。因此,如果满足任何条件,实例将启动。您必须通过将条件键分成两个不同的块来创建逻辑“与”,如here所述。

"Condition": {
            "ForAllValues:StringNotEquals": {
                "aws:TagKeys": "Name",
                "aws:RequestTag/Name": "${aws:username}"
            }
        }