我已经创建了一个custom IAM policy来限制用户访问基于标签,如果Resource tag Name有任何值Test,那么用户可以start stop reboot实例。
这是我的策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "TheseActionsDontSupportResourceLevelPermissions",
"Effect": "Allow",
"Action": ["ec2:Describe*"],
"Resource": "*"
},
{
"Sid": "TheseActionsSupportResourceLevelPermissionsWithTags",
"Effect": "Allow",
"Action": [
"ec2:TerminateInstances",
"ec2:StopInstances",
"ec2:StartInstances"
],
"Resource": "arn:aws:ec2:us-east-1:acct_no:instance/*",
"Condition": {
"ForAnyValue:StringEquals": {
"ec2:ResourceTag/Name": "Test"
}
}
}
]
}
但是当我应用策略时,用户不能执行指定的操作。
请帮助。
谢谢
ForAnyValue对于您的Amazon IAM用例来说是一个不合适的条件,到目前为止,它只适用于集合(详细信息请参见创建测试多个键值(集合操作)的条件)-简单地删除ForAnyValue:前缀应该产生一个工作策略,例如参见EC2的资源级权限中的示例-控制特定实例的管理访问:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:RebootInstances",
"ec2:TerminateInstances"
],
"Condition": {
"StringEquals": {
"ec2:ResourceTag/critical":"true"
}
},
"Resource": [
"arn:aws:ec2:your_region:your_account_ID:instance/*"
],
"Effect": "Allow"
}
]
}