参考此DOC我创建了IAM策略,该策略允许仅访问一个EC2实例。我创建了一个具有该策略的IAM用户。但是,当我将该用户登录到我的AWS帐户中时,我遇到了错误:"发生错误获取实例数据:您无权执行此操作。"
策略文件:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:*"
],
"Condition": {
"StringEquals": {
"ec2:ResourceTag/test": "test"
}
},
"Resource": [
"arn:aws:ec2:us-east-1:AccountNumber:instance/*
],
"Effect": "Allow"
}
]
}
您必须添加EC2描述以描述所有EC2资源,然后基于其他语句以通过标签过滤资源。
但是,有了此策略,其他IAM帐户仍然无需任何许可即可查看其他EC2实例。
这是您需要的。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1507182214000",
"Effect": "Allow",
"Action": [
"ec2:*"
],
"Condition": {
"StringEquals": {
"ec2:ResourceTag/TAG_NAME": "TAG_VALUE"
}
},
"Resource": [
"arn:aws:ec2:AWS_REGION:AWS_ACCOUNT:instance/*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeTags"
],
"Resource": "*"
},
{
"Effect": "Deny",
"Action": [
"ec2:CreateTags",
"ec2:DeleteTags"
],
"Resource": "*"
}
]
}