在ec2中实施标记

Question

创建了一个IAM策略，该策略应限制用户现在使用，以便在不满足标签值时允许创建ec2实例

{     “ Version”：“ 2012-10-17”，     “声明”：[         {             “ Sid”：“ AllowToDescribeAll”，             “效果”：“允许”，             “动作”：[                 “ ec2：描述*”             ]，             “资源”：“ ”         }，         {             “ Sid”：“ AllowRunInstances”，             “效果”：“允许”，             “ Action”：“ ec2：RunInstances”，             “资源”：[                 “ arn：aws：ec2： :: image / ”，                 “ arn：aws：ec2： :: snapshot / ”，                 “ arn：aws：ec2：：：subnet / ”，                 “ arn：aws：ec2：：：network-interface / ”，                 “ arn：aws：ec2：：：security-group / ”，                 “ arn：aws：ec2：：：key-pair / ”             ]         }，         {             “ Sid”：“ AllowRunInstancesWithRestrictions”，             “效果”：“允许”，             “动作”：[                 “ ec2：CreateVolume”，                 “ ec2：RunInstances”             ]，             “资源”：[                 “ arn：aws：ec2：：：volume / ”，                 “ arn：aws：ec2：：：instance / ”             ]，             “条件”：{                 “ StringEquals”：{                     “ aws：RequestTag / shutdown”：“ true”，                     “ aws：RequestTag / terminate”：“ true”                 }，                 “ ForAllValues：StringEquals”：{                     “ aws：TagKeys”：[                         “关掉”，                         “终止”                     ]                 }             }         }，         {             “ Sid”：“ AllowCreateTagsOnlyLaunching”，             “效果”：“允许”，             “动作”：[                 “ ec2：CreateTags”             ]，             “资源”：[                 “ arn：aws：ec2：：：volume / ”，                 “ arn：aws：ec2：：：instance / *”             ]，             “条件”：{                 “ StringEquals”：{                     “ ec2：CreateAction”：“ RunInstances”                 }             }         }     ] }

Answer 1

请通过https://policysim.aws.amazon.com/home/index.jsp?#的策略模拟器进行检查

通过以下政策，我可以确认它是否有效：

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowToDescribeAll",
            "Effect": "Allow",
            "Action": [
                "ec2:Describe*"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowRunInstances",
            "Effect": "Allow",
            "Action": "ec2:RunInstances",
            "Resource": [
                "arn:aws:ec2:*::image/*",
                "arn:aws:ec2:*::snapshot/*",
                "arn:aws:ec2:*:*:subnet/*",
                "arn:aws:ec2:*:*:network-interface/*",
                "arn:aws:ec2:*:*:security-group/*",
                "arn:aws:ec2:*:*:key-pair/*"
            ]
        },
        {
            "Sid": "AllowRunInstancesWithRestrictions",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateVolume",
                "ec2:RunInstances"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:volume/*",
                "arn:aws:ec2:*:*:instance/*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:RequestTag/terminate": "true",
                    "aws:RequestTag/shutdown": "true"
                },
                "ForAllValues:StringEquals": {
                    "aws:TagKeys": [
                        "terminate",
                        "shutdown"
                    ]
                }
            }
        },
        {
            "Sid": "AllowCreateTagsOnlyLaunching",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateTags"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:volume/*",
                "arn:aws:ec2:*:*:instance/*"
            ],
            "Condition": {
                "StringEquals": {
                    "ec2:CreateAction": "RunInstances"
                }
            }
        }
    ]
}