是否有AWS SCP 来阻止用户创建弹性IP EC2?
Is there AWS SCP to block users from creating elastic IP EC2?
AWS 组织帐户是否可以阻止或阻止子 AWS 帐户启动具有弹性 IP 的 public AWS EC2 实例?希望这些帐户中的那些用户仅启动私有 ec2(s)。
没有SCP还有其他办法吗?
此致,
此用例没有直接存在的 SCP。但是你可以写一个。
Grants permission to allocate an Elastic IP address (EIP) to your account and various other operations related to the network interfaces with condition key below.
ec2:AllocateAddress
ec2:AssociateAddress
ec2:CreateNetworkInterface
有条件键
ec2:AssociatePublicIpAddress
Filters access by whether the user wants to associate a public IP address with the instance
如果你想让事情变得更简单,你可能也想检查这个
Example: Prevent any VPC that doesn't already have internet access from getting it
有几种方法。 SCP via AWS Config 是一个,你可以使用 ec2-instance-no-public-ip or subnet-auto-assign-public-ip-disabled rules. And you also have option to control it via IAM by denying the AllocateAddress 权限
AWS 组织帐户是否可以阻止或阻止子 AWS 帐户启动具有弹性 IP 的 public AWS EC2 实例?希望这些帐户中的那些用户仅启动私有 ec2(s)。
没有SCP还有其他办法吗?
此致,
此用例没有直接存在的 SCP。但是你可以写一个。
Grants permission to allocate an Elastic IP address (EIP) to your account and various other operations related to the network interfaces with condition key below.
ec2:AllocateAddress
ec2:AssociateAddress
ec2:CreateNetworkInterface
有条件键
ec2:AssociatePublicIpAddress
Filters access by whether the user wants to associate a public IP address with the instance
如果你想让事情变得更简单,你可能也想检查这个
Example: Prevent any VPC that doesn't already have internet access from getting it
有几种方法。 SCP via AWS Config 是一个,你可以使用 ec2-instance-no-public-ip or subnet-auto-assign-public-ip-disabled rules. And you also have option to control it via IAM by denying the AllocateAddress 权限