我已将以下自定义 IAM 作为内联策略附加到 IAM 用户,但是当我尝试通过用户登录启动 EC2 实例时,它不起作用。我的要求是允许用户仅启动 t2.micro 实例。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeImages",
"ec2:DescribeKeyPairs",
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:us-east-1:xxxxxxxxx:network-interface/*",
"arn:aws:ec2:us-east-1: xxxxxxxxx:volume/*",
"arn:aws:ec2:us-east-1: xxxxxxxxx:key-pair/*",
"arn:aws:ec2:us-east-1: xxxxxxxxx:security-group/*",
"arn:aws:ec2:us-east-1: xxxxxxxxx:subnet/*"
]
},
{
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:us-east-1: xxxxxxxxx:instance/*"
],
"Condition": {
"StringEquals": {
"ec2:InstanceType": "t2.micro"
}
}
}
]
}
对可能的问题有什么猜测吗?
我认为您的政策缺少以下内容:
"arn:aws:ec2:us-east-1::image/ami-*"
或者,您可以定义特定映像:
"arn:aws:ec2:us-east-1::image/ami-xxxxxxxx"
与其限制 ALLOW,不如允许ec2:*但添加此策略,拒绝 t2.micro 以外的任何内容:
{
"Action": [
"ec2:RunInstances"
],
"Effect": "Deny",
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"StringNotEquals": {
"ec2:InstanceType": [
"t2.micro"
]
}
}
},
但是,请注意,因为有人可能会启动 t2.micro,停止它,修改实例类型,然后重新启动它!
为了防止这种情况,您可以添加:
{
"Action": [
"ec2:ModifyInstanceAttribute"
],
"Effect": "Deny",
"Resource": "*"
},