0

我想创建 IAM 策略,其中 IAM 用户将无法在 us-east-1 区域中启动除 t2.micro Ubuntu 之外的任何实例。我在 IAM 策略中添加了 ami,但 AWS 不仅允许 Ubuntu ami,还允许 IAM 用户启动所有实例。可能是什么问题

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "TheseActionsDontSupportResourceLevelPermissions",
        "Effect": "Allow",
        "Action": [
            "ec2:Describe*"
        ],
        "Resource": "*"
    },
    {
        "Sid": "TheseActionsSupportResourceLevelPermissions",
        "Effect": "Allow",
        "Action": [
            "ec2:RunInstances",
            "ec2:TerminateInstances",
            "ec2:StopInstances",
            "ec2:StartInstances"
        ],
        "Resource": "arn:aws:ec2:us-east-1:196687784845:instance/ami-0885b1f6bd170450c"
    }
]

}

4

2 回答 2

0

这应该为您指明正确的方向

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Sid":"TheseActionsDontSupportResourceLevelPermissions",
         "Effect":"Allow",
         "Action":[
            "ec2:Describe*"
         ],
         "Resource":"*"
      },
      {
         "Sid":"TheseActionsSupportResourceLevelPermissions",
         "Effect":"Allow",
         "Action":[
            "ec2:RunInstances",
            "ec2:TerminateInstances",
            "ec2:StopInstances",
            "ec2:StartInstances"
         ],
         "Resource":"arn:aws:ec2:us-east-1:196687784845:instance/ami-0885b1f6bd170450c",
         "Condition":{
            "ForAnyValue:StringLike":{
               "ec2:ImageType":"t2.micro"
            }
         }
      }
   ]
}
于 2020-12-01T13:02:10.590 回答
0

如果使用了错误的实例类型或错误的 ami,我建议使用Deny规则来禁止启动实例。请注意,我删除了该Sid参数,因为它是可选的。

显式Deny规则将覆盖任何Allow规则。这样可以更轻松地禁止不需要的操作,而不是尝试排除允许的操作。请参阅https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow

尝试以下操作:

{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Effect": "Allow",
         "Action": [
            "ec2:Describe*"
         ],
         "Resource": "*"
      },
      {
         "Effect": "Allow",
         "Action": [
            "ec2:RunInstances",
            "ec2:TerminateInstances",
            "ec2:StopInstances",
            "ec2:StartInstances"
         ],
         "Resource": "*"
      },
      {
         "Effect": "Deny",
         "Action": [
           "ec2:RunInstances"
         ],
         "Resource": "*",
         "Condition": {
            "StringNotLike": {
               "ec2:ImageType": "t2.micro"
            }
         }
      },
      {
         "Effect": "Deny",
         "Action": [
           "ec2:RunInstances"
         ],
         "NotResource": "arn:aws:ec2:us-east-1:196687784845:instance/ami-0885b1f6bd170450c"
      }
   ]
}
于 2020-12-02T04:48:19.833 回答