Question

我试图创建一个 IAM 策略，对具有特定标签的机器具有只读访问权限，并仅为这些机器授予 EC2 实例连接权限。

我试过了。但不工作。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2-instance-connect:SendSSHPublicKey"
            ],
            "Resource": "arn:aws:ec2:*:7352673452763:dedicated-host/*",
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/Project": "TestProject"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": "ec2:Describe*",
            "Resource": "arn:aws:ec2:*:015107134915:dedicated-host/*",
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/Project": "TestProject"
                }
            }
        }
    ]
}

授予权限后我看不到任何机器。有人能帮我解决这些问题吗

Answer 1

ec2-instance-connect 权限支持的资源类型是

<块引用>

arn:${Partition}:ec2:${Region}:${Account}:instance/${InstanceId}

和 ec2:Describe* 适用于所有资源。

Actions, resources, and condition keys for Amazon EC2 Instance Connect

Actions, resources, and condition keys for Amazon EC2

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2-instance-connect:SendSSHPublicKey"
            ],
            "Resource": "arn:aws:ec2:*:7352673452763:instance/*",
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/Project": "TestProject"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": "ec2:Describe*",
            "Resource": "*"
        }
    ]
}

使用自定义策略基于 Tag 向 ec2 资源授予只读 IAM 权限

1 个答案: