Amazon ec2 使用AWS null条件来防止标记为空或丢失?
我的政策文件的目标是:Amazon ec2 使用AWS null条件来防止标记为空或丢失?,amazon-ec2,null,key,amazon-iam,Amazon Ec2,Null,Key,Amazon Iam,我的政策文件的目标是: 如果没有正确的标记,则阻止创建资源 要求为特定标签指定特定值(例如,env标签必须为dev或stg或prd等) 二号工程如期进行;但是,如果用户创建了一个标记为空的EC2实例,或者只是忘记添加它,那么策略仍然允许用户创建实例 我尝试了null操作符(引用),但它似乎不起作用 另一种尝试是使用与aws:tag keys值(参考)匹配的条件,但它仅在使用类似字符串的比较运算符检查单个值时才起作用 这是Lambda函数关闭dev实例的先决条件 处理完这个之后,我发现它只需要稍
处理完这个之后,我发现它只需要稍微调整一下。出于某种原因,AWS需要明确允许同一政策文件中的操作(即使附加到同一用户的另一政策文件明确声明允许),以正确实施预期政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:*::image/ami-*",
"arn:aws:ec2:*:ACCOUNT_ID:subnet/*",
"arn:aws:ec2:*:ACCOUNT_ID:network-interface/*",
"arn:aws:ec2:*:ACCOUNT_ID:volume/*",
"arn:aws:ec2:*:ACCOUNT_ID:key-pair/*",
"arn:aws:ec2:*:ACCOUNT_ID:security-group/*"
],
"Sid": "AllowRunInstances"
},
{
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:*:ACCOUNT_ID:instance/*",
"Condition": {
"StringNotLike": {
"aws:RequestTag/env": [
"dev",
"stg",
"prd",
"dev-noshutdown",
"trn",
"tst"
]
}
},
"Sid": "RequireSpecificEnvTags"
}
]
}
而且它有效
请注意:当前此策略似乎不允许创建Spot实例(因为Spot请求处理标记的方式不同)。我向AWS提交了功能请求。非常感谢,我正在寻找确切的要求,但无法编写策略。我来测试一下,然后回来。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:*::image/ami-*",
"arn:aws:ec2:*:ACCOUNT_ID:subnet/*",
"arn:aws:ec2:*:ACCOUNT_ID:network-interface/*",
"arn:aws:ec2:*:ACCOUNT_ID:volume/*",
"arn:aws:ec2:*:ACCOUNT_ID:key-pair/*",
"arn:aws:ec2:*:ACCOUNT_ID:security-group/*"
],
"Sid": "AllowRunInstances"
},
{
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:*:ACCOUNT_ID:instance/*",
"Condition": {
"StringNotLike": {
"aws:RequestTag/env": [
"dev",
"stg",
"prd",
"dev-noshutdown",
"trn",
"tst"
]
}
},
"Sid": "RequireSpecificEnvTags"
}
]
}