在这种情况下,我想将EC2实例的创建限制为以下条件:
"*.nano", "*.small", "*.micro", "*.medium", "*.large" eu-central-1 我创建了以下EC2策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:CreateDhcpOptions",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:ModifyVolumeAttribute",
"ec2:ReplaceRouteTableAssociation",
"ec2:DeleteVpcEndpoints",
"ec2:CreateKeyPair",
"ec2:ResetInstanceAttribute",
"ec2:AttachInternetGateway",
"ec2:ReportInstanceStatus",
"ec2:UpdateSecurityGroupRuleDescriptionsIngress",
"ec2:DeleteRouteTable",
"ec2:ModifySpotFleetRequest",
"ec2:ModifySnapshotAttribute",
"ec2:DeleteVpnGateway",
"ec2:CreateNetworkInterfacePermission",
"ec2:RevokeSecurityGroupEgress",
"ec2:CreateRoute",
"ec2:CreateInternetGateway",
"ec2:DeleteInternetGateway",
"ec2:UnassignPrivateIpAddresses",
"ec2:CreateReservedInstancesListing",
"ec2:CancelExportTask",
"ec2:BundleInstance",
"ec2:ImportKeyPair",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:AssignPrivateIpAddresses",
"ec2:DisassociateRouteTable",
"ec2:CreateVolume",
"ec2:ReplaceNetworkAclAssociation",
"ec2:CreateVpcEndpointServiceConfiguration",
"ec2:RevokeSecurityGroupIngress",
"ec2:CreateNetworkInterface",
"ec2:CancelSpotInstanceRequests",
"ec2:DetachVpnGateway",
"ec2:CreateDefaultVpc",
"ec2:DeleteDhcpOptions",
"ec2:DeleteNatGateway",
"ec2:CreateSubnet",
"ec2:ModifyVpcEndpoint",
"ec2:DeleteNetworkAclEntry",
"ec2:CreateVpnConnection",
"ec2:DeleteSpotDatafeedSubscription",
"ec2:DisassociateAddress",
"ec2:ModifyVpcEndpointServicePermissions",
"ec2:ImportVolume",
"ec2:MoveAddressToVpc",
"ec2:CreateNatGateway",
"ec2:ModifyFleet",
"ec2:RunScheduledInstances",
"ec2:ModifyIdentityIdFormat",
"ec2:CreateVpc",
"ec2:RequestSpotFleet",
"ec2:ModifyImageAttribute",
"ec2:ReleaseHosts",
"ec2:ModifySubnetAttribute",
"ec2:CreateDefaultSubnet",
"ec2:CreateSpotDatafeedSubscription",
"ec2:CreateSnapshot",
"ec2:DeleteLaunchTemplateVersions",
"ec2:DeleteNetworkAcl",
"ec2:ModifyReservedInstances",
"ec2:ReleaseAddress",
"ec2:CreateInstanceExportTask",
"ec2:DeleteLaunchTemplate",
"ec2:AssociateDhcpOptions",
"ec2:ModifyInstancePlacement",
"ec2:AssignIpv6Addresses",
"ec2:ImportInstance",
"ec2:AttachVpnGateway",
"ec2:AcceptVpcEndpointConnections",
"ec2:ModifyFpgaImageAttribute",
"ec2:ResetSnapshotAttribute",
"ec2:CancelConversionTask",
"ec2:ImportSnapshot",
"ec2:CreateVpnConnectionRoute",
"ec2:DisassociateSubnetCidrBlock",
"ec2:DeleteVpcEndpointConnectionNotifications",
"ec2:CreateLaunchTemplate",
"ec2:RestoreAddressToClassic",
"ec2:DeleteCustomerGateway",
"ec2:EnableVgwRoutePropagation",
"ec2:DisableVpcClassicLink",
"ec2:DisableVpcClassicLinkDnsSupport",
"ec2:AllocateHosts",
"ec2:ModifyVpcTenancy",
"ec2:CancelImportTask",
"ec2:ModifyIdFormat",
"ec2:ConfirmProductInstance",
"ec2:DeleteFlowLogs",
"ec2:CopySnapshot",
"ec2:DeleteSubnet",
"ec2:ModifyVpcEndpointServiceConfiguration",
"ec2:UnmonitorInstances",
"ec2:MonitorInstances",
"ec2:DeleteVpcPeeringConnection",
"ec2:AcceptVpcPeeringConnection",
"ec2:CreateImage",
"ec2:PurchaseHostReservation",
"ec2:CopyImage",
"ec2:DisableVgwRoutePropagation",
"ec2:AssociateVpcCidrBlock",
"ec2:ReplaceRoute",
"ec2:RejectVpcPeeringConnection",
"ec2:AssociateRouteTable",
"ec2:DisassociateVpcCidrBlock",
"ec2:DeleteVolume",
"ec2:CreatePlacementGroup",
"ec2:ReplaceNetworkAclEntry",
"ec2:ModifyVpcPeeringConnectionOptions",
"ec2:CreateVpnGateway",
"ec2:UnassignIpv6Addresses",
"ec2:ImportImage",
"ec2:DeleteVpnConnection",
"ec2:CreateVpcPeeringConnection",
"ec2:RejectVpcEndpointConnections",
"ec2:EnableVpcClassicLink",
"ec2:PurchaseScheduledInstances",
"ec2:ModifyVolume",
"ec2:ResetImageAttribute",
"ec2:UpdateSecurityGroupRuleDescriptionsEgress",
"ec2:CreateVpcEndpointConnectionNotification",
"ec2:ResetNetworkInterfaceAttribute",
"ec2:RegisterImage",
"ec2:CreateRouteTable",
"ec2:DeleteNetworkInterface",
"ec2:CreateFleet",
"ec2:DetachInternetGateway",
"ec2:CreateCustomerGateway",
"ec2:ModifyHosts",
"ec2:ModifyVpcEndpointConnectionNotification",
"ec2:EnableVolumeIO",
"ec2:CreateFlowLogs",
"ec2:AssociateSubnetCidrBlock",
"ec2:DeleteVpc",
"ec2:CreateEgressOnlyInternetGateway",
"ec2:AssociateAddress",
"ec2:DeleteKeyPair",
"ec2:CancelBundleTask",
"ec2:DeregisterImage",
"ec2:DeleteSnapshot",
"ec2:PurchaseReservedInstancesOffering",
"ec2:DeleteTags",
"ec2:RequestSpotInstances",
"ec2:CancelSpotFleetRequests",
"ec2:DeleteFleets",
"ec2:DeleteVpcEndpointServiceConfigurations",
"ec2:DeleteFpgaImage",
"ec2:DeleteNetworkInterfacePermission",
"ec2:CreateSecurityGroup",
"ec2:CreateNetworkAcl",
"ec2:ModifyVpcAttribute",
"ec2:ModifyInstanceAttribute",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:DeleteEgressOnlyInternetGateway",
"ec2:DetachNetworkInterface",
"ec2:DeletePlacementGroup",
"ec2:DeleteRoute",
"ec2:CopyFpgaImage",
"ec2:AllocateAddress",
"ec2:CreateLaunchTemplateVersion",
"ec2:DeleteVpnConnectionRoute",
"ec2:ModifyInstanceCreditSpecification",
"ec2:CreateVpcEndpoint",
"ec2:DeleteSecurityGroup",
"ec2:CreateFpgaImage",
"ec2:AcceptReservedInstancesExchangeQuote",
"ec2:ModifyLaunchTemplate",
"ec2:AttachNetworkInterface",
"ec2:EnableVpcClassicLinkDnsSupport",
"ec2:CancelReservedInstancesListing",
"ec2:CreateNetworkAclEntry",
"ec2:ResetFpgaImageAttribute"
],
"Resource": "*",
"Condition": {
"StringLike": {
"aws:RequestedRegion": "eu-central-1"
}
}
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"ec2:DetachVolume",
"ec2:AttachVolume",
"ec2:RebootInstances",
"ec2:AttachClassicLinkVpc",
"ec2:TerminateInstances",
"ec2:DetachClassicLinkVpc",
"ec2:CreateTags",
"ec2:RunInstances",
"ec2:StopInstances",
"ec2:ReplaceIamInstanceProfileAssociation",
"ec2:StartInstances",
"ec2:DisassociateIamInstanceProfile",
"ec2:AssociateIamInstanceProfile"
],
"Resource": "*",
"Condition": {
"StringLike": {
"aws:RequestedRegion": "eu-central-1",
"ec2:InstanceType": [
"*.nano",
"*.small",
"*.micro",
"*.medium",
"t2.large"
]
}
}
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "ec2:Describe*",
"Resource": "*"
}
]
}
无论何时创建任何种类的实例(无论是前面提到的实例还是任何其他类型的实例),我都会收到以下错误消息:
Launch Failed
You are not authorized to perform this operation.
Creating security groups Successful (sg-0f49c6462ba8c1f3b)
Authorizing inbound rules Successful
Initiating launches Failure
答案 0 :(得分:1)
唯一需要受实例类型限制的操作是extern "C" {
#include <foo.h>
}
(用于启动实例)和RunInstances(用于更改实例类型)。
欢迎您分配所有其他权限,不受实例类型的限制,但受区域的限制。
ModifyInstanceAttributeEasier way to control access to AWS regions using IAM policies | AWS Security Blog还显示了另一种方式:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "ec2:*",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ec2:Region": "<REGION>"
}
}
}
]
}
我不确定哪一种更好。
然后,要阻止用户启动不需要的实例类型,请添加一个覆盖允许策略的 {
"Effect": "Allow",
"Action": [
"ec2:*"
],
"Resource": "*",
"Condition": {"StringEquals": {"aws:RequestedRegion": "eu-central-1"}}
},
策略。
来自Limiting Allowed AWS Instance Type With IAM Policy(包括允许的实例类型的通配符):
Deny或者,从How to restrict by regions and instance types in AWS with IAM – : : blyx.com : : Blog : : Toni de la Fuente(指出不允许的实例类型)开始:
{
"Sid": "limitedSize",
"Effect": "Deny",
"Action": ["ec2:RunInstances", "ec2:ModifyInstanceAttribute"],
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"ForAnyValue:StringNotLike": {
"ec2:InstanceType": [
"*.nano",
"*.small",
"*.micro",
"*.medium"
]
}
}
}