用于限制启动实例的 Amazon IAM 用户策略
Amazon IAM User Policy To Limit Launch Instances
我正在尝试创建一个用户策略来限制启动实例在特定区域和 t1.micro 类型,我尝试了几种解决方案,但 none 目前有效。
即使这个也不允许描述实例状态,我创建使用此策略来启动实例但我不能使用 API 来描述它的状态,不知道哪里出了问题。感谢任何帮助。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "..",
"Effect": "Allow",
"Action": [
"ec2:*"
],
"Resource": [
"arn:aws:ec2:us-west-2:*:*"
]
}
]
}
我找到了 this aws 文档,它解释了 api 不支持资源级别权限的内容,以及为什么我的问题中的策略不起作用,以下内容在移动后适用于我的案例对资源使用 * 的一些操作:
{
"Version": "2012-10-17",
"Statement": [
{ // This allows viewing instances if user login to dashboard (does not include cloudwatch, you can add it if you want)
"Effect": "Allow",
"Action": [
"ec2:Describe*"
],
"Resource": "*"
},
{ // Users are limited to starting instances that in west region, and only micro instances
"Effect": "Allow",
"Action": [
"ec2:RunInstances",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances"
],
"Resource": "arn:aws:ec2:us-west-2:*:instance/*",
"Condition": {
"StringEquals": {
"ec2:InstanceType": [
"t1.micro",
"t2.micro"
]
}
}
},
{ // allow user to launch instances using images in west region
"Effect": "Allow",
"Action": [
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:us-west-2:*:image/ami-*",
"arn:aws:ec2:us-west-2:*:subnet/*",
"arn:aws:ec2:us-west-2:*:network-interface/*",
"arn:aws:ec2:us-west-2:*:volume/*",
"arn:aws:ec2:us-west-2:*:key-pair/*",
"arn:aws:ec2:us-west-2:*:security-group/*"
]
},
{ // these don't fall under resource-level permission, so they need to be separated in order to users to launch instances
"Effect": "Allow",
"Action": [
"ec2:CreateSecurityGroup",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress"
],
"Resource": "*"
},
{ // This also cannot have resource-level permission, allows user to create images from existing running instances
"Effect": "Allow",
"Action": [
"ec2:CreateImage"
],
"Resource": [
"*"
]
}
]
}
希望这对其他人有帮助。
我正在尝试创建一个用户策略来限制启动实例在特定区域和 t1.micro 类型,我尝试了几种解决方案,但 none 目前有效。
即使这个也不允许描述实例状态,我创建使用此策略来启动实例但我不能使用 API 来描述它的状态,不知道哪里出了问题。感谢任何帮助。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "..",
"Effect": "Allow",
"Action": [
"ec2:*"
],
"Resource": [
"arn:aws:ec2:us-west-2:*:*"
]
}
]
}
我找到了 this aws 文档,它解释了 api 不支持资源级别权限的内容,以及为什么我的问题中的策略不起作用,以下内容在移动后适用于我的案例对资源使用 * 的一些操作:
{
"Version": "2012-10-17",
"Statement": [
{ // This allows viewing instances if user login to dashboard (does not include cloudwatch, you can add it if you want)
"Effect": "Allow",
"Action": [
"ec2:Describe*"
],
"Resource": "*"
},
{ // Users are limited to starting instances that in west region, and only micro instances
"Effect": "Allow",
"Action": [
"ec2:RunInstances",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances"
],
"Resource": "arn:aws:ec2:us-west-2:*:instance/*",
"Condition": {
"StringEquals": {
"ec2:InstanceType": [
"t1.micro",
"t2.micro"
]
}
}
},
{ // allow user to launch instances using images in west region
"Effect": "Allow",
"Action": [
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:us-west-2:*:image/ami-*",
"arn:aws:ec2:us-west-2:*:subnet/*",
"arn:aws:ec2:us-west-2:*:network-interface/*",
"arn:aws:ec2:us-west-2:*:volume/*",
"arn:aws:ec2:us-west-2:*:key-pair/*",
"arn:aws:ec2:us-west-2:*:security-group/*"
]
},
{ // these don't fall under resource-level permission, so they need to be separated in order to users to launch instances
"Effect": "Allow",
"Action": [
"ec2:CreateSecurityGroup",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress"
],
"Resource": "*"
},
{ // This also cannot have resource-level permission, allows user to create images from existing running instances
"Effect": "Allow",
"Action": [
"ec2:CreateImage"
],
"Resource": [
"*"
]
}
]
}
希望这对其他人有帮助。