强制为EC2创建标签

时间:2019-01-06 19:44:13

标签: amazon-web-services amazon-iam

我一直在尝试创建一个策略,该策略除非具有Project标签,否则将不允许创建ec2实例。这就是我现在拥有的,即使拥有标签Project,我所得到的还是ec2:RunInstances You are not authorized to perform this operation

{
  "Version": "2012-10-17",
  "Statement": [
      {
          "Sid": "RunCloudFormation",
          "Effect": "Allow",
          "Action": [
              "cloudformation:*"
          ],
          "Resource": [
              "*"
          ]
      },
      {
          "Sid": "CreateEC2Instances",
          "Effect": "Allow",
          "Action": [
              "ec2:Describe*",
              "ec2:CreateSecurityGroup",
              "ec2:AuthorizeSecurityGroupIngress",
              "ec2:CreateTags",
              "ec2:RunInstances"
          ],
          "Resource": "*"
      },
      {
          "Sid": "LaunchingEC2withAMIsAndTags",
          "Effect": "Allow",
          "Action": "ec2:RunInstances",
          "Resource": "arn:aws:ec2:*:*:instance/*",
          "Condition": {
              "StringLike": {
                  "aws:RequestTag/Project": "?*"
              }
          }
      }
  ]
}

这是我的CloudFormation模板的摘要:

  "KeyName": {
          "Ref": "KeyName"
        },
        "Tags": [
          {
            "Key": "Project",
            "Value": "test"
          },
          {
            "Key": "OwnerAdmin",
            "Value": "myname"
          },
          {
            "Key": "Name",
            "Value": "TESTTags"
          }
        ],

1 个答案:

答案 0 :(得分:1)

我设法通过更改来允许策略模拟器允许RunInstances操作

"Resource": "arn:aws:ec2:*:*:instance/*"


"Resource": "*",

仅当您要限制实例使用的资源(例如AMI,子网,安全组等)时,才需要使用资源级别权限。

相关问题
最新问题