我正在尝试创建一个策略来限制用户仅在某个子网中运行实例,但以下内容不起作用(匿名帐户 ID、子网 ID 和 SID(
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SID",
"Effect": "Allow",
"Action": [
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeTags",
"ec2:StartInstances",
"ec2:StopInstances"
],
"Resource": [
"arn:aws:ec2:eu-west-1:ACCOUNT NUMBER:subnet/subnet-id",
"arn:aws:ec2:eu-west-1:ACCOUNT NUMBER::network-interface/*",
"arn:aws:ec2:eu-west-1:ACCOUNT NUMBER::instance/*",
"arn:aws:ec2:eu-west-1:ACCOUNT NUMBER::volume/*",
"arn:aws:ec2:eu-west-1:ACCOUNT NUMBER::image/ami-*",
"arn:aws:ec2:eu-west-1:ACCOUNT NUMBER::key-pair/*",
"arn:aws:ec2:eu-west-1:ACCOUNT NUMBER::security-group/*"
]
}
]
}
所以我试过这个,这也不起作用
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SID",
"Effect": "Allow",
"Action": [
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeTags",
"ec2:StartInstances",
"ec2:StopInstances"
],
"Condition": {
"StringEquals": {
"ec2:subnet": "subnet-id"
}
},
"Resource": [
"*"
]
}
]
}
将不胜感激人们的任何意见,谢谢!
AWS 已对此进行了记录,请参阅:https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_ec2_instances-subnet.html