Amazon web services 限制启动实例的Amazon IAM用户策略
我正在尝试创建一个用户策略,以将启动实例限制在特定区域,对于t1.micro类型,我尝试了几种解决方案,但迄今为止都没有成功 即使这一个不允许描述实例状态,我创建了使用此策略来启动实例,但我不能使用API来描述其状态,不确定出了什么问题。感谢您的帮助Amazon web services 限制启动实例的Amazon IAM用户策略,amazon-web-services,amazon-ec2,aws-sdk,Amazon Web Services,Amazon Ec2,Aws Sdk,我正在尝试创建一个用户策略,以将启动实例限制在特定区域,对于t1.micro类型,我尝试了几种解决方案,但迄今为止都没有成功 即使这一个不允许描述实例状态,我创建了使用此策略来启动实例,但我不能使用API来描述其状态,不确定出了什么问题。感谢您的帮助 { "Version": "2012-10-17", "Statement": [ { "Sid": "..", "Effect": "Allow",
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "..",
"Effect": "Allow",
"Action": [
"ec2:*"
],
"Resource": [
"arn:aws:ec2:us-west-2:*:*"
]
}
]
}
我找到了aws文档,它解释了什么api不支持资源级别权限,为什么我问题中的策略不起作用,在将一些操作移到资源中使用*后,下面的内容对我的案例起了作用:
{
"Version": "2012-10-17",
"Statement": [
{ // This allows viewing instances if user login to dashboard (does not include cloudwatch, you can add it if you want)
"Effect": "Allow",
"Action": [
"ec2:Describe*"
],
"Resource": "*"
},
{ // Users are limited to starting instances that in west region, and only micro instances
"Effect": "Allow",
"Action": [
"ec2:RunInstances",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances"
],
"Resource": "arn:aws:ec2:us-west-2:*:instance/*",
"Condition": {
"StringEquals": {
"ec2:InstanceType": [
"t1.micro",
"t2.micro"
]
}
}
},
{ // allow user to launch instances using images in west region
"Effect": "Allow",
"Action": [
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:us-west-2:*:image/ami-*",
"arn:aws:ec2:us-west-2:*:subnet/*",
"arn:aws:ec2:us-west-2:*:network-interface/*",
"arn:aws:ec2:us-west-2:*:volume/*",
"arn:aws:ec2:us-west-2:*:key-pair/*",
"arn:aws:ec2:us-west-2:*:security-group/*"
]
},
{ // these don't fall under resource-level permission, so they need to be separated in order to users to launch instances
"Effect": "Allow",
"Action": [
"ec2:CreateSecurityGroup",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress"
],
"Resource": "*"
},
{ // This also cannot have resource-level permission, allows user to create images from existing running instances
"Effect": "Allow",
"Action": [
"ec2:CreateImage"
],
"Resource": [
"*"
]
}
]
}
希望这能帮助别人