0

我有这个政策应该阻止用户从 AWS 的任何资源中删除标签。但标签仍在从资源中删除。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "ec2:Delete*",
                "s3:Delete*",
                "s3:ReplicateTags",
                "iam:Untag*",
                "tag:UntagResources"
            ],
            "Effect": "Deny",
            "Resource": "*"
        },
        {
            "Action": [
                "s3:Create*",
                "s3:Describe*",
                "s3:Get*",
                "s3:List*",
                "s3:Put*",
                "s3:Update*",
                "s3:Replicate*",
                "s3:RestoreObject",
                "s3:ObjectOwnerOverrideToBucketOwner"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "ec2:Create*",
                "ec2:Describe*",
                "ec2:Get*",
                "ec2:Modify*",
                "ec2:StartInstances",
                "ec2:StopInstances"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "iam:Tag*",
                "tag:TagResources",
                "tag:GetResources"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "iam:Untag*",
                "tag:UntagResources"
            ],
            "Effect": "Deny",
            "Resource": "*"
        }
    ]
}

由于我是 AWS 的新手,所以我不知道出了什么问题。其他权限工作正常。只是取消标记不起作用。如何拒绝取消标记资源?提前致谢。

我怎么做tag:UntagResources

4

1 回答 1

0

一种方法是使用 IAM Create Policy 可视化编辑器。输入您感兴趣的服务,例如 S3,然后在操作搜索对话框中,搜索“标签”以查找您要拒绝的所有相关操作。使用“切换到拒绝权限”链接使其成为拒绝语句。然后对于资源,选择所有资源。最后,切换到 JSON 选项卡,查看生成的语句。

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "VisualEditor0",
        "Effect": "Allow",
        "Action": [
            "s3:DeleteObjectTagging",
            "s3:DeleteJobTagging",
            "s3:DeleteStorageLensConfigurationTagging",
            "s3:DeleteObjectVersionTagging"
        ],
        "Resource": "*"
    }
]

}

然后,您可以为要禁用标记的每个服务重复该过程,以创建多个策略语句。

于 2021-05-29T00:51:57.467 回答