我需要能够在创建时传入的标签键/值对中限制新EC2实例的创建。我尝试了以下建议(在几种不同的配置中),但似乎没有任何效果:
Requiring Tags upon EC2 Instance Creation
Explicit deny for user to runinstances in AWS when not using specific tag KeyValue
我授予EC2FullAccess托管策略,并使用以下内容明确拒绝以标签为条件的内容:
{
"Effect": "Deny",
"Action": ["ec2:RunInstances",
"ec2:CreateVolume"],
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:RequestTag/key": "value"
}
}
}
我尝试删除所有托管权限集,并根据条件标签使用以下内容“允许”:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowDescribe",
"Effect": "Allow",
"Action": ["ec2:Describe*",
"ec2:CreateTags",
"ec2:Attach*",
"ec2:StartInstances"],
"Resource": "*"
},
{
"Sid": "AllowRunInstancesWithRestrictions",
"Effect": "Allow",
"Action": [
"ec2:CreateVolume",
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:instance/*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/key": "value"
}
}
}
]
}
我收到一个“访问被拒绝”错误,该错误已加密。解密消息没有帮助,因为它似乎没有显示出实际的错误是什么。谁能帮助我了解我做错了什么?我正在使用控制台进行测试,但最终需要开发此控制台,以供人们与Terraform一起使用。