Fatal编程技术网

Amazon web services 限制启动实例的Amazon IAM用户策略

amazon-web-services amazon-ec2

Amazon web services 限制启动实例的Amazon IAM用户策略,amazon-web-services,amazon-ec2,aws-sdk,Amazon Web Services,Amazon Ec2,Aws Sdk,我正在尝试创建一个用户策略,以将启动实例限制在特定区域,对于t1.micro类型,我尝试了几种解决方案,但迄今为止都没有成功 即使这一个不允许描述实例状态,我创建了使用此策略来启动实例,但我不能使用API来描述其状态,不确定出了什么问题。感谢您的帮助 { "Version": "2012-10-17", "Statement": [ { "Sid": "..", "Effect": "Allow",

我正在尝试创建一个用户策略,以将启动实例限制在特定区域,对于t1.micro类型,我尝试了几种解决方案,但迄今为止都没有成功

即使这一个不允许描述实例状态,我创建了使用此策略来启动实例,但我不能使用API来描述其状态,不确定出了什么问题。感谢您的帮助

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "..",
            "Effect": "Allow",
            "Action": [
                "ec2:*"
            ],
            "Resource": [
                "arn:aws:ec2:us-west-2:*:*"
            ]
        }
    ]
}
我找到了aws文档,它解释了什么api不支持资源级别权限,为什么我问题中的策略不起作用,在将一些操作移到资源中使用*后,下面的内容对我的案例起了作用:

{
    "Version": "2012-10-17",
    "Statement": [
        {  // This allows viewing instances if user login to dashboard (does not include cloudwatch, you can add it if you want)
            "Effect": "Allow",
            "Action": [
                "ec2:Describe*"
            ],
            "Resource": "*"
        },
        {   // Users are limited to starting instances that in west region, and only micro instances
            "Effect": "Allow",
            "Action": [
                "ec2:RunInstances",
                "ec2:StartInstances",
                "ec2:StopInstances",
                "ec2:TerminateInstances"
            ],
            "Resource": "arn:aws:ec2:us-west-2:*:instance/*",
            "Condition": {
                "StringEquals": {
                    "ec2:InstanceType": [
                        "t1.micro",
                        "t2.micro"
                    ]
                }
            }
        },
        {   // allow user to launch instances using images in west region
            "Effect": "Allow",
            "Action": [
                "ec2:RunInstances"
            ],
            "Resource": [
                "arn:aws:ec2:us-west-2:*:image/ami-*",
                "arn:aws:ec2:us-west-2:*:subnet/*",
                "arn:aws:ec2:us-west-2:*:network-interface/*",
                "arn:aws:ec2:us-west-2:*:volume/*",
                "arn:aws:ec2:us-west-2:*:key-pair/*",
                "arn:aws:ec2:us-west-2:*:security-group/*"
            ]
        },
        {    // these don't fall under resource-level permission, so they need to be separated in order to users to launch instances
            "Effect": "Allow",
            "Action": [
                "ec2:CreateSecurityGroup",
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:RevokeSecurityGroupEgress",
                "ec2:RevokeSecurityGroupIngress"
            ],
            "Resource": "*"
        },
        {   // This also cannot have resource-level permission, allows user to create images from existing running instances
            "Effect": "Allow",
            "Action": [
                "ec2:CreateImage"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}
希望这能帮助别人