特定 EC2 服务器的 AWS IAM 用户权限不起作用
AWS IAM User Permission for a specific EC2 server not working
我正在尝试将用户限制为 Start/Stop 特定的 EC2 实例 (TESTSYS),为此,我创建了 IAM 策略并分配给测试用户 (TESTUSER):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:Describe*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:RebootInstances"
],
"Resource": "arn:aws:ec2:us-east-1a:XXXXXXXXXXXX:instance/i-abcdefgh012345678",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Name": "TESTSYS"
}
}
}
]
}
当我以该测试用户身份登录并尝试启动 "TESTSYS" 实例时,我收到错误消息 You are not authorized to perform this operation. Encoded authorization failure message:。以下是解码后的信息:
{
"DecodedMessage": {
"allowed": false,
"explicitDeny": false,
"matchedStatements": {
"items": []
},
"failures": {
"items": []
},
"context": {
"principal": {
"id": "ABCDEFGHIJK0123456789",
"name": "testuser",
"arn": "arn:aws:iam::XXXXXXXXXXXX:user/testuser"
},
"action": "ec2:StopInstances",
"resource": "arn:aws:ec2:us-east-1:XXXXXXXXXXXX:instance/i-abcdefgh012345678",
"conditions": {
"items": [
{
"key": "ec2:Tenancy",
"values": {
"items": [
{
"value": "default"
}
]
}
},
{
"key": "ec2:PlacementGroup",
"values": {
"items": [
{
"value": "arn:aws:ec2:us-east-1:XXXXXXXXXXXX:placement-group/App Servers"
}
]
}
},
{
"key": "XXXXXXXXXXXX:Name",
"values": {
"items": [
{
"value": "TESTSYS"
}
]
}
},
{
"key": "ec2:ResourceTag/System",
"values": {
"items": [
{
"value": "TESTSYS"
}
]
}
},
{
"key": "XXXXXXXXXXXX:System",
"values": {
"items": [
{
"value": "TESTSYS"
}
]
}
},
{
"key": "ec2:AvailabilityZone",
"values": {
"items": [
{
"value": "us-east-1a"
}
]
}
},
{
"key": "ec2:Region",
"values": {
"items": [
{
"value": "us-east-1"
}
]
}
},
{
"key": "ec2:ResourceTag/Name",
"values": {
"items": [
{
"value": "TESTSYS"
}
]
}
},
{
"key": "ec2:ebsOptimized",
"values": {
"items": [
{
"value": "true"
}
]
}
},
{
"key": "ec2:InstanceType",
"values": {
"items": [
{
"value": "c4.large"
}
]
}
},
{
"key": "ec2:RootDeviceType",
"values": {
"items": [
{
"value": "ebs"
}
]
}
},
{
"key": "ec2:InstanceProfile",
"values": {
"items": [
{
"value": "arn:aws:iam::XXXXXXXXXXXX:instance-profile/EC2_TESTSYS"
}
]
}
}
]
}
}
}
}
当我尝试为 StartInstance 和 StopInstance 的同一个测试用户模拟此策略时,我确实看到该权限是允许的。
你能告诉我我错过了什么吗?
感谢您的帮助。
谢谢!
您指定的是可用性区域而不是区域。试试 us-east-1
"Resource": "arn:aws:ec2:us-east-1:XXXXXXXXXXXX:instance/i-abcdefgh012345678",
我正在尝试将用户限制为 Start/Stop 特定的 EC2 实例 (TESTSYS),为此,我创建了 IAM 策略并分配给测试用户 (TESTUSER):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:Describe*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:RebootInstances"
],
"Resource": "arn:aws:ec2:us-east-1a:XXXXXXXXXXXX:instance/i-abcdefgh012345678",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Name": "TESTSYS"
}
}
}
]
}
当我以该测试用户身份登录并尝试启动 "TESTSYS" 实例时,我收到错误消息 You are not authorized to perform this operation. Encoded authorization failure message:。以下是解码后的信息:
{
"DecodedMessage": {
"allowed": false,
"explicitDeny": false,
"matchedStatements": {
"items": []
},
"failures": {
"items": []
},
"context": {
"principal": {
"id": "ABCDEFGHIJK0123456789",
"name": "testuser",
"arn": "arn:aws:iam::XXXXXXXXXXXX:user/testuser"
},
"action": "ec2:StopInstances",
"resource": "arn:aws:ec2:us-east-1:XXXXXXXXXXXX:instance/i-abcdefgh012345678",
"conditions": {
"items": [
{
"key": "ec2:Tenancy",
"values": {
"items": [
{
"value": "default"
}
]
}
},
{
"key": "ec2:PlacementGroup",
"values": {
"items": [
{
"value": "arn:aws:ec2:us-east-1:XXXXXXXXXXXX:placement-group/App Servers"
}
]
}
},
{
"key": "XXXXXXXXXXXX:Name",
"values": {
"items": [
{
"value": "TESTSYS"
}
]
}
},
{
"key": "ec2:ResourceTag/System",
"values": {
"items": [
{
"value": "TESTSYS"
}
]
}
},
{
"key": "XXXXXXXXXXXX:System",
"values": {
"items": [
{
"value": "TESTSYS"
}
]
}
},
{
"key": "ec2:AvailabilityZone",
"values": {
"items": [
{
"value": "us-east-1a"
}
]
}
},
{
"key": "ec2:Region",
"values": {
"items": [
{
"value": "us-east-1"
}
]
}
},
{
"key": "ec2:ResourceTag/Name",
"values": {
"items": [
{
"value": "TESTSYS"
}
]
}
},
{
"key": "ec2:ebsOptimized",
"values": {
"items": [
{
"value": "true"
}
]
}
},
{
"key": "ec2:InstanceType",
"values": {
"items": [
{
"value": "c4.large"
}
]
}
},
{
"key": "ec2:RootDeviceType",
"values": {
"items": [
{
"value": "ebs"
}
]
}
},
{
"key": "ec2:InstanceProfile",
"values": {
"items": [
{
"value": "arn:aws:iam::XXXXXXXXXXXX:instance-profile/EC2_TESTSYS"
}
]
}
}
]
}
}
}
}
当我尝试为 StartInstance 和 StopInstance 的同一个测试用户模拟此策略时,我确实看到该权限是允许的。
你能告诉我我错过了什么吗?
感谢您的帮助。
谢谢!
您指定的是可用性区域而不是区域。试试 us-east-1
"Resource": "arn:aws:ec2:us-east-1:XXXXXXXXXXXX:instance/i-abcdefgh012345678",