我正在尝试使用此策略来限制用户在指定的 VPC 中启动任何实例。但是,我仍然可以启动实例!为什么这个政策不起作用?显然,资源资源": "arn:aws:ec2:::vpc//vpc-xyz 在我的生产模板中具有实际值
"Statement": [
{
"Action": [
"ec2:Run*",
"ec2:Terminate*",
"ec2:Cancel*",
"ec2:Create*",
"ec2:Delete*",
"ec2:Modify*",
"ec2:Start*",
"ec2:Stop*"
],
"Resource": "arn:aws:ec2:<REGION>:<ACCOUNT-ID>:vpc/<VPC-ID>/vpc-xyz",
"Effect": "Deny",
"Sid": "DenyInstanceActionsForVPC"
},
{
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Project": [
"Cloud Services",
"MDH",
"Shine"
]
}
},
"Action": [
"ec2:Run*",
"ec2:Terminate*",
"ec2:Cancel*",
"ec2:Create*",
"ec2:Delete*",
"ec2:Modify*",
"ec2:Start*",
"ec2:Stop*"
],
"Resource": "*",
"Effect": "Deny",
"Sid": "DenyInstanceActionsForCStaggedResources"
}
]
}
第一项。您的策略中没有允许。因此,您不应该能够做任何事情。先解决这个问题。
接下来修改您的第一个语句,使其如下所示:
{
"Sid": "DenyInstanceActionsForVPC",
"Effect": "Deny",
"Action": [
"ec2:Run*",
"ec2:Terminate*",
"ec2:Cancel*",
"ec2:Create*",
"ec2:Delete*",
"ec2:Modify*",
"ec2:Start*",
"ec2:Stop*"
],
"Resource": "arn:aws:ec2:REGION:ACCOUNTNUMBER:subnet/*",
"Condition": {
"StringEquals": {
"ec2:vpc": "arn:aws:ec2:REGION:ACCOUNTNUMBER:vpc/VPC-ID"
}
}
},