AWS SSM 策略不像文档那样工作

AWS SSM Policy doesn't work like the documentation

我尝试按照此处的示例提供政策:https://docs.aws.amazon.com/systems-manager/latest/userguide/getting-started-restrict-access-examples.html

但是,我不断收到警告,但它不起作用。

这些是我到目前为止所尝试的:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowStartSessionExceptProd",
            "Effect": "Allow",
            "Action": [
                "ssm:StartSession"
            ],
            "Resource": "*",
            "Condition": {
                "StringNotLike": {
                    "ssm:resourceTag/environment": [
                        "prod",
                        "Prod"
                    ]
                }
            }
        }
    ]
}

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowStartSessionExceptProd",
            "Effect": "Allow",
            "Action": [
                "ssm:StartSession"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "arn:aws:ec2:*:*:instance": [
                        "i-myInstanceId1",
                        "i-myInstanceId2"
                    ]
                }
            }
        }
    ]
}

甚至我尝试使用更多基于资源的条件。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowStartSessionExceptProd",
            "Effect": "Allow",
            "Action": [
                "ssm:StartSession"
            ],
            "Resource": "*",
            "Condition": {
                "StringNotLike": {
                    "ssm:resourceTag/environment": [
                        "prod",
                        "Prod"
                    ],
                    "arn:aws:ec2:*:*:resourceTag/environment": [
                        "prod",
                        "Prod"
                    ],
                    "ec2:resourceTag/environment": [
                        "prod",
                        "Prod"
                    ]
                }
            }
        }
    ]
}

一般来说,我想要做的就是允许在非生产服务器的服务器上访问以在 SSM 中启动会话。 我的 EC2 产品服务器都有一个标签 environment:prod

我在每种情况下都收到一条错误消息,但该消息不起作用: There are no actions in your policy that support this condition key.

示例: ec2:resourceTag /environment (StringNotLike prod and Prod) There are no actions in your policy that support this condition key.

感谢任何帮助。

根据评论和一些调查,答案如下:

docs 可以很容易地看出哪些 动作 支持什么条件。

不幸的是,为限制访问提供的示例是错误的,即包含示例代码的文档中存在错误。

PR 可能是个好主意,这样其他人就不会挂在同样的东西上。