我创建了一个策略,允许用户执行所有 ec2 操作,但限制用户运行实例和创建卷,并且仅在他们传递给定的标签键值对并显式拒绝时才终止实例。
-
EC2 完全权限策略
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "ec2:*", "Resource": "*" } ] } -
EC2 运行实例并创建带有条件的显式拒绝卷。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Deny", "Action": [ "ec2:RunInstances", "ec2:CreateVolume" ], "Resource": [ "arn:aws:ec2:*:*:instance/*", "arn:aws:ec2:*:*:volume/*" ], "Condition": { "ForAllValues:StringNotEquals": { "aws:TagKeys": "Name", "aws:RequestTag/Name": "${aws:username}" } } }, { "Sid": "VisualEditor1", "Effect": "Deny", "Action": "ec2:CreateTags", "Resource": [ "arn:aws:ec2:*:*:instance/*", "arn:aws:ec2:*:*:volume/*" ], "Condition": { "ForAllValues:StringNotEquals": { "aws:RequestTag/Name": "${aws:username}" }, "StringNotEquals": { "ec2:CreateAction": "RunInstances", "aws:TagKeys": "Name" } } }, { "Sid": "VisualEditor2", "Effect": "Deny", "Action": [ "ec2:DeleteVolume", "ec2:TerminateInstances" ], "Resource": [ "arn:aws:ec2:*:*:instance/*", "arn:aws:ec2:*:*:volume/*" ], "Condition": { "ForAllValues:StringNotEquals": { "ec2:ResourceTag/Name": "${aws:username}" } } } ] }
我的要求是限制用户授予所有 ec2 权限,并且仅在将标签键"名称"和标签值传递为"其 aws 用户名"时限制运行实例。 但是,当将此策略应用于用户时,它会限制他们仅在传递标签键"名称"时运行,但不会限制标签值"他们的 AWS 用户名 ${aws:username}"。 但是,当用户尝试终止实例时,相同的限制可以正常工作,即用户无法使用标签键"名称"和标签值"其 AWS 用户名 ${aws:用户名}"终止实例
策略中的错误可能是什么,即允许用户使用标签键"名称"和标签值的任何值运行实例,即使 null 也允许
您可以使用以下 IAM 策略并根据自己的喜好进行编辑。我在生产中使用它并且完美无缺。仅当实例被标记为列表中存在的值时,它才会启动实例。
此处,键 =Environment,值 =mentioned below
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "TheseActionsDontSupportResourceLevelPermissions",
"Effect": "Allow",
"Action": [
"ec2:Describe*"
],
"Resource": "*"
},
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:*::image/ami-*",
"arn:aws:ec2:*:ACCOUNT_ID:volume/*",
"arn:aws:ec2:*:ACCOUNT_ID:subnet/*",
"arn:aws:ec2:*:ACCOUNT_ID:network-interface/*",
"arn:aws:ec2:*:ACCOUNT_ID:security-group/*",
"arn:aws:ec2:*:ACCOUNT_ID:key-pair/*"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:*:ACCOUNT_ID:instance/*",
"Condition": {
"StringNotLike": {
"aws:RequestTag/Environment": [
"Testing",
"Staging",
"Production",
"Nightly",
"Sandbox",
"LoadTesting"
]
}
}
}
]
}
它不起作用,因为以下块正在实现逻辑 OR。因此,如果满足任何条件,实例将启动。您必须通过将条件键分隔在两个不同的块中来创建逻辑 AND,如此处所述。
"Condition": {
"ForAllValues:StringNotEquals": {
"aws:TagKeys": "Name",
"aws:RequestTag/Name": "${aws:username}"
}
}