Question

我一直在尝试创建一个策略，该策略除非具有Project标签，否则将不允许创建ec2实例。这就是我现在拥有的，即使拥有标签Project，我所得到的还是ec2:RunInstances You are not authorized to perform this operation。

{
  "Version": "2012-10-17",
  "Statement": [
      {
          "Sid": "RunCloudFormation",
          "Effect": "Allow",
          "Action": [
              "cloudformation:*"
          ],
          "Resource": [
              "*"
          ]
      },
      {
          "Sid": "CreateEC2Instances",
          "Effect": "Allow",
          "Action": [
              "ec2:Describe*",
              "ec2:CreateSecurityGroup",
              "ec2:AuthorizeSecurityGroupIngress",
              "ec2:CreateTags",
              "ec2:RunInstances"
          ],
          "Resource": "*"
      },
      {
          "Sid": "LaunchingEC2withAMIsAndTags",
          "Effect": "Allow",
          "Action": "ec2:RunInstances",
          "Resource": "arn:aws:ec2:*:*:instance/*",
          "Condition": {
              "StringLike": {
                  "aws:RequestTag/Project": "?*"
              }
          }
      }
  ]
}

这是我的CloudFormation模板的摘要：

  "KeyName": {
          "Ref": "KeyName"
        },
        "Tags": [
          {
            "Key": "Project",
            "Value": "test"
          },
          {
            "Key": "OwnerAdmin",
            "Value": "myname"
          },
          {
            "Key": "Name",
            "Value": "TESTTags"
          }
        ],

Answer 1

我设法通过更改来允许策略模拟器允许RunInstances操作

"Resource": "arn:aws:ec2:*:*:instance/*"

到

"Resource": "*",

仅当您要限制实例使用的资源（例如AMI，子网，安全组等）时，才需要使用资源级别权限。

强制为EC2创建标签

1 个答案: