添加 VPC 资源时 SCP 行为突然
SCP behaving abruptly when adding VPC resource
当 ec2 资源(子网、安全组、实例、vpc)没有标签时,我正在使用 SCP 策略停止创建它们。我正在使用标签策略来检查合规标签。
但是一旦我在我的 scp 策略中为 vpc 添加操作和资源,我就无法创建子网、安全组。
下面的 SCP 策略在没有 vpc 资源的情况下工作正常 -
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1ForProjectTag",
"Effect": "Deny",
"Action": [
"ec2:RunInstances",
"ec2:CreateSecurityGroup",
"ec2:CreateSubnet"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:subnet/*"
],
"Condition": {
"Null": {
"aws:RequestTag/project": [
"true"
]
}
}
}
]
}
此 SCP 政策正在失效 - 即我无法使用适当的标签创建安全 group/subnet。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1ForProjectTag",
"Effect": "Deny",
"Action": [
"ec2:RunInstances",
"ec2:CreateSecurityGroup",
"ec2:CreateSubnet",
"ec2:CreateVpc"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:vpc/*"
],
"Condition": {
"Null": {
"aws:RequestTag/project": [
"true"
]
}
}
}
]
}
有人可以解释一下吗?
不建议在同一语句中组合不同的 Actions 和 Resource。它可能会导致意外行为或某些问题。还有not all actions are applicable to all resources,需要指定合适的
所以首先要把语句拆分成多个。然后将效果从 Allow 更改为 Deny,并将条件更改为 'StringNotEquals'.
SCP应该是这样的:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1ForProjectTag",
"Effect": "Deny",
"Action": [
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*"
],
"Condition": {
"ForAllValues:StringNotEquals": {
"aws:TagKeys": [
"project"
]
}
}
},
{
"Sid": "Statement2ForProjectTag",
"Effect": "Deny",
"Action": [
"ec2:CreateSecurityGroup"
],
"Resource": [
"arn:aws:ec2:*:*:security-group/*"
],
"Condition": {
"ForAllValues:StringNotEquals": {
"aws:TagKeys": [
"project"
]
}
}
},
{
"Sid": "Statement3ForProjectTag",
"Effect": "Deny",
"Action": [
"ec2:CreateSubnet"
],
"Resource": [
"arn:aws:ec2:*:*:subnet/*"
],
"Condition": {
"ForAllValues:StringNotEquals": {
"aws:TagKeys": [
"project"
]
}
}
},
{
"Sid": "Statement4ForProjectTag",
"Effect": "Deny",
"Action": [
"ec2:CreateVpc"
],
"Resource": [
"arn:aws:ec2:*:*:vpc/*"
],
"Condition": {
"ForAllValues:StringNotEquals": {
"aws:TagKeys": [
"project"
]
}
}
}
]
}
当 ec2 资源(子网、安全组、实例、vpc)没有标签时,我正在使用 SCP 策略停止创建它们。我正在使用标签策略来检查合规标签。
但是一旦我在我的 scp 策略中为 vpc 添加操作和资源,我就无法创建子网、安全组。
下面的 SCP 策略在没有 vpc 资源的情况下工作正常 -
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1ForProjectTag",
"Effect": "Deny",
"Action": [
"ec2:RunInstances",
"ec2:CreateSecurityGroup",
"ec2:CreateSubnet"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:subnet/*"
],
"Condition": {
"Null": {
"aws:RequestTag/project": [
"true"
]
}
}
}
]
}
此 SCP 政策正在失效 - 即我无法使用适当的标签创建安全 group/subnet。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1ForProjectTag",
"Effect": "Deny",
"Action": [
"ec2:RunInstances",
"ec2:CreateSecurityGroup",
"ec2:CreateSubnet",
"ec2:CreateVpc"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:vpc/*"
],
"Condition": {
"Null": {
"aws:RequestTag/project": [
"true"
]
}
}
}
]
}
有人可以解释一下吗?
不建议在同一语句中组合不同的 Actions 和 Resource。它可能会导致意外行为或某些问题。还有not all actions are applicable to all resources,需要指定合适的
所以首先要把语句拆分成多个。然后将效果从 Allow 更改为 Deny,并将条件更改为 'StringNotEquals'.
SCP应该是这样的:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1ForProjectTag",
"Effect": "Deny",
"Action": [
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*"
],
"Condition": {
"ForAllValues:StringNotEquals": {
"aws:TagKeys": [
"project"
]
}
}
},
{
"Sid": "Statement2ForProjectTag",
"Effect": "Deny",
"Action": [
"ec2:CreateSecurityGroup"
],
"Resource": [
"arn:aws:ec2:*:*:security-group/*"
],
"Condition": {
"ForAllValues:StringNotEquals": {
"aws:TagKeys": [
"project"
]
}
}
},
{
"Sid": "Statement3ForProjectTag",
"Effect": "Deny",
"Action": [
"ec2:CreateSubnet"
],
"Resource": [
"arn:aws:ec2:*:*:subnet/*"
],
"Condition": {
"ForAllValues:StringNotEquals": {
"aws:TagKeys": [
"project"
]
}
}
},
{
"Sid": "Statement4ForProjectTag",
"Effect": "Deny",
"Action": [
"ec2:CreateVpc"
],
"Resource": [
"arn:aws:ec2:*:*:vpc/*"
],
"Condition": {
"ForAllValues:StringNotEquals": {
"aws:TagKeys": [
"project"
]
}
}
}
]
}