我试图提供一个遵循以下示例的策略:https://docs.aws.amazon.com/systems-manager/latest/userguide/getting-started-restrict-access-examples.html
但是,我一直收到警告,但它不起作用。
到目前为止,这些都是我尝试过的:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowStartSessionExceptProd",
"Effect": "Allow",
"Action": [
"ssm:StartSession"
],
"Resource": "*",
"Condition": {
"StringNotLike": {
"ssm:resourceTag/environment": [
"prod",
"Prod"
]
}
}
}
]
}
或
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowStartSessionExceptProd",
"Effect": "Allow",
"Action": [
"ssm:StartSession"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"arn:aws:ec2:*:*:instance": [
"i-myInstanceId1",
"i-myInstanceId2"
]
}
}
}
]
}
甚至我也试图利用更多基于资源的条件。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowStartSessionExceptProd",
"Effect": "Allow",
"Action": [
"ssm:StartSession"
],
"Resource": "*",
"Condition": {
"StringNotLike": {
"ssm:resourceTag/environment": [
"prod",
"Prod"
],
"arn:aws:ec2:*:*:resourceTag/environment": [
"prod",
"Prod"
],
"ec2:resourceTag/environment": [
"prod",
"Prod"
]
}
}
}
]
}
一般来说,我想做的就是允许访问非生产服务器上的SSM中的会话。我的EC2产品服务器都有一个标签environment:prod
我会收到关于每个不起作用的条件的错误消息:There are no actions in your policy that support this condition key.
示例:
ec2:resourceTag /environment (StringNotLike prod and Prod)
There are no actions in your policy that support this condition key.
我感谢你的帮助。
根据评论和一些调查,答案如下:
从文档中,很容易注意到哪些操作支持什么条件。
不幸的是,为"限制访问"提供的示例是错误的,即包含示例代码的文档中存在错误。
公关可能是个好主意,这样其他人就不会再坚持下去了。