如何允许用户仅在允许的子网中创建 ec2 实例?
How can I allow users to only create ec2 instances in a permitted subnet?
我只想允许用户在允许的子网中 run/stop ec2 实例,但是下面的代码不起作用:
{
"Effect": "Allow",
"Action": [
"ec2:RunInstances",
"ec2:TerminateInstances",
"ec2:StopInstances",
"ec2:StartInstances",
"ec2:RunScheduledInstances",
"ec2:UnmonitorInstances"
],
"Resource": [
"*"
],
"Condition": {
"ForAnyValue:ArnEquals": {
"ec2:Subnet": [
"arn:aws:ec2:*:*:subnet/subnet-*******",
"arn:aws:ec2:*:*:subnet/subnet-*******",
"arn:aws:ec2:*:*:subnet/subnet-*******"
]
}
}
}
此策略将仅允许用户以编程方式和通过控制台访问特定子网中的 运行 个 EC2 实例:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:RunInstances",
"ec2:TerminateInstances",
"ec2:StopInstances",
"ec2:StartInstances",
"ec2:RunScheduledInstances",
"ec2:UnmonitorInstances"
],
"Resource": [
"arn:aws:ec2:*:*:subnet/subnet-******",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*::image/ami-*",
"arn:aws:ec2:*:*:key-pair/*",
"arn:aws:ec2:*:*:security-group/*"
]
}
]
}
我只想允许用户在允许的子网中 run/stop ec2 实例,但是下面的代码不起作用:
{
"Effect": "Allow",
"Action": [
"ec2:RunInstances",
"ec2:TerminateInstances",
"ec2:StopInstances",
"ec2:StartInstances",
"ec2:RunScheduledInstances",
"ec2:UnmonitorInstances"
],
"Resource": [
"*"
],
"Condition": {
"ForAnyValue:ArnEquals": {
"ec2:Subnet": [
"arn:aws:ec2:*:*:subnet/subnet-*******",
"arn:aws:ec2:*:*:subnet/subnet-*******",
"arn:aws:ec2:*:*:subnet/subnet-*******"
]
}
}
}
此策略将仅允许用户以编程方式和通过控制台访问特定子网中的 运行 个 EC2 实例:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:RunInstances",
"ec2:TerminateInstances",
"ec2:StopInstances",
"ec2:StartInstances",
"ec2:RunScheduledInstances",
"ec2:UnmonitorInstances"
],
"Resource": [
"arn:aws:ec2:*:*:subnet/subnet-******",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*::image/ami-*",
"arn:aws:ec2:*:*:key-pair/*",
"arn:aws:ec2:*:*:security-group/*"
]
}
]
}