我正在尝试对人们可以启动的实例类型设置一些限制。 我有以下政策
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:us-east-1:123:key-pair/CI",
"arn:aws:ec2:us-east-1:123:instance/*",
"arn:aws:ec2:us-east-1:123:image/ami-*",
"arn:aws:ec2:us-east-1:123:subnet/*",
"arn:aws:ec2:us-east-1:123:network-interface/*",
"arn:aws:ec2:us-east-1:123:volume/*",
"arn:aws:ec2:us-east-1:123:security-group/sg-a363xxxx"
]
},
{
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": [
"*"
],
"Condition": {
"StringNotEquals": {
"ec2:InstanceType": "m4.4xlarge"
}
}
}
]
语句的第一部分工作正常,但我正在尝试添加 Deny 部分。
{
"DryRun": true,
"ImageId": "ami-5f709f34",
"KeyName": "FE-CI",
"SecurityGroupIds": [
"sg-a363bada"
],
"UserData": "",
"InstanceType": "m4.4xlarge",
"SubnetId": "subnet-xxxxx",
"EbsOptimized":false}
添加条件语句时,所有内容都将被拒绝。这是解码的授权消息。
{
"DecodedMessage": " {"allowed":false,"explicitDeny":true,"matchedStatements":{"items":[{"statementId":"","effect":"DENY","principals":{"items":[]},"principalGroups":{"items":[{"value":"xxx"}]},"actions":{"items":[{"value":"ec2:RunInstances"}]},"resources":{"items":[{"value":"*"}]},"conditions":{"items":[{"key":"ec2:InstanceType","values":{"items":[{"value":"m4.4xlarge"}]}}]}}]},"failures":{"items":[]},"context":{"principal":{"id":"xxx","name":"jellin-test","arn":"arn:aws:iam::xxx:user/jellin-test"},"action":"ec2:RunInstances","resource":"arn:aws:ec2:us-east-1:xxx:key-pair/FE-CI","conditions":{"items":[{"key":"ec2:Region","values":{"items":[{"value":"us-east-1"}]}}]}}}"
}
我在这里没有看到任何明显的错误。 我的理解是,第一个语句应该通过,第二个语句只有在实例类型不是 m4.4xlarge 时才会拒绝
StringNotEquals键需要更改为 StringNotEqualsIfExists 。对于为什么会发生这种情况,这里有一个很好的解释。