我希望用户能够登录到aws帐户并启动和停止一个特定的ec2实例。到目前为止,我发现ec2-description只在资源中使用全星"*"。用户可以登录,查看所有实例,但由于出现拒绝权限错误,他无法启动或停止实例:(
这是我的政策
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "TheseActionsDontSupportResourceLevelPermissions",
"Effect": "Allow",
"Action": [
"ec2:Describe*"
],
"Resource": "*"
},
{
"Sid": "TheseActionsSupportResourceLevelPermissions",
"Effect": "Allow",
"Action": [
"ec2:TerminateInstances",
"ec2:StopInstances",
"ec2:StartInstances"
],
"Resource": "arn:aws:ec2:eu-central-1a:MY_ACCOUNT_ID:instance/MY_INSTANCE_ID"
}
]
}
答案是,你不能。
ec2:Stopinstances、ec2:StartInstances和ec2:TerminateInstances确实支持资源级权限,但不支持实例id的条件键。它们支持条件键:
- ec2:可用性区域
- ec2:EbsOptimized
- ec2:实例配置文件
- ec2:实例类型
- ec2:放置组
- ec2:区域
- ec2:ResourceTag/tag密钥
- ec2:根设备类型
- ec2:租赁
此处的文档中对此进行了强调。(在页面上搜索API调用)
唯一可能有用的条件关键字是ec2:ResourceTag/tag-key。您可以在特定实例上添加一个资源标记,并允许用户权限在带有该标记的实例上调用这3个API调用。
但是,除非您拒绝了与标签相关的API调用,否则将无法阻止用户将标签添加到另一个实例,并对该实例执行API调用。你需要确定拒绝标记是否适合你的情况。
希望这能有所帮助。
让我提供一个工作示例:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:RevokeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupEgress",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:RebootInstances"
],
"Resource": [
"arn:aws:ec2:ap-south-1:222222222222:instance/i-02222222222222ddb",
"arn:aws:ec2:ap-south-1:222222222222:security-group/sg-022222222abc"
],
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Name": "my.dev-server.com"
}
}
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeSecurityGroupRules",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeNetworkAcls",
"ec2:DescribeSecurityGroups",
"ec2:ModifySecurityGroupRules",
"ec2:DescribeInstanceStatus"
],
"Resource": "*"
}
]
}
我发现这个链接对理解这个答案也很有用。