最初在https://forums.aws.amazon.com/thread.jspa?messageID=825006#825006上询问
我正在尝试将某些操作限制在特定来源。例如,EC2 和 Cloudformation 应该只能从某个源 IP 地址访问。我可以通过以下策略实现这一目标:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": ["ec2:*", "cloudformation:*"],
"Resource": "*",
"Condition": {
"NotIpAddress": { "aws:SourceIp": ["1.2.3.4"] }
}
}
]
}
这很好用(假设在没有条件的情况下允许用户使用 ec2 和 cloudformation),因为我现在可以从源 IP 创建/查看 EC2 实例,1.2.3.4但从其他来源尝试时会出错。
但是,如果我尝试创建包含 EC2 实例的 Cloudformation 堆栈,则 RunInstance 操作会继承我的用户帐户,而不是我的源 IP。我想更新条件以允许将 Cloudformation 源排除在Deny. 我试过这个:
"Condition": {
"NotIpAddress": { "aws:SourceIp": ["1.2.3.4"] },
"StringNotEquals": {"aws:SourceIp":"cloudformation.amazonaws.com" }
}
}
我还尝试Allow了关于这些操作的 2 个语句,每个语句只有 1 个条件 - IpAddresssourceIp 和第 2 个 allow 语句与"StringEquals" : {"aws:SourceIp":"cloudformation.amazonaws.com"}这些操作有关。当 CloudFormation 尝试执行 RunInstances 操作时,我仍然收到错误消息。
这是显示失败的 CloudTrail 事件:
{
"eventVersion": "1.05",
"userIdentity": {
"type": "AssumedRole",
"principalId": "REDACTED",
"arn": "REDACTED",
"accountId": "REDACTED",
"sessionContext": {
"attributes": {
"creationDate": "2018-01-19T07:47:40Z"
},
"sessionIssuer": {
"type": "Role",
"principalId": "REDACTED",
"arn": "arn:aws:iam::REDACTED",
"accountId": "REDACTED",
"userName": "REDACTED"
}
},
"invokedBy": "cloudformation.amazonaws.com"
},
"eventTime": "2018-01-19T08:10:39Z",
"eventSource": "ec2.amazonaws.com",
"eventName": "RunInstances",
"awsRegion": "REDACTED",
"sourceIPAddress": "cloudformation.amazonaws.com",
"userAgent": "cloudformation.amazonaws.com",
"errorCode": "Client.UnauthorizedOperation",
"errorMessage": "You are not authorized to perform this operation. Encoded authorization failure message: REDACTED",
"requestParameters": { <details of instance here> },
"responseElements": null,
"requestID": "REDACTED",
"eventID": "REDACTED",
"eventType": "AwsApiCall",
"recipientAccountId": "REDACTED"
}
我已尝试在aws:SourceIp, aws:SourceIpAddress, aws:UserAgent- 上进行字符串匹配,如何允许 ec2 操作进行 cloudformation?
谢谢。