我想将AWS策略附加到IAM用户,该策略只允许在EC2上使用start-instance和stop-instance的AWS CLI。
它通过使用AmazonEC2FullAccess策略来工作,但我想限制它
我使用了startInstances、stopInstances、describeInstances。。。但没有奏效。
我正在使用aws ec2 start-instance --instance-ids i-123。
有什么想法吗?
{
"Version": "2012-10-17",
"Statement": [
{
"Action": ["cloudwatch:*","ec2:Describe*"],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": ["ec2:StartInstances","ec2:StopInstances"],
"Effect": "Allow",
"Resource": "arn:aws:ec2:eu-central-1b:123412341234:instance/i-123412341234"
}
]
}
允许IAM用户"ec2:StartInstances"one_answers"ec2:StopInstances"的策略看起来像:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": ["cloudwatch:*","ec2:Describe*"],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": ["ec2:StartInstances","ec2:StopInstances"],
"Effect": "Allow",
"Resource": "arn:aws:ec2:us-east-1:123456789012:instance/*"
}
]
}
看看cloudwatch和ec2:Describe操作是如何在一个单独的语句中的,它们过去只支持"*">的资源。您可以看到AWS做了同样的事情,将EC2操作与描述和标记分开:https://aws.amazon.com/premiumsupport/knowledge-center/iam-ec2-resource-tags/
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:*",
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/UserName": "${aws:username}"
}
}
},
{
"Effect": "Allow",
"Action": "ec2:Describe*",
"Resource": "*"
},
{
"Effect": "Deny",
"Action": [
"ec2:CreateTags",
"ec2:DeleteTags"
],
"Resource": "*"
}
]
}