Fatal编程技术网
  • amazon-web-services/
  • Amazon web services 如何使IAM用户在EC2中受标记限制的资源级别权限限制时设置名称和其他自定义标记

Amazon web services 如何使IAM用户在EC2中受标记限制的资源级别权限限制时设置名称和其他自定义标记

amazon-web-services amazon-ec2 yaml amazon-cloudformation

Amazon web services 如何使IAM用户在EC2中受标记限制的资源级别权限限制时设置名称和其他自定义标记,amazon-web-services,amazon-ec2,yaml,amazon-cloudformation,amazon-iam,Amazon Web Services,Amazon Ec2,Yaml,Amazon Cloudformation,Amazon Iam,我一直在玩EC2中配置基于标记的资源权限的游戏,使用的方法与以下问题的答案中描述的方法类似: 我一直在结合使用lambda函数来自动标记EC2实例,根据调用相关EC2:RunInstances操作的IAM用户设置Owner和PrincipalId。以下AWS博客文章中记录了我为此遵循的方法: 这两种方法的结合导致我对EC2的受限用户权限在我的CloudFormation模板中如下所示: LimitedEC2Policy: Type: "AWS::IAM::Policy" Properties:

我一直在玩EC2中配置基于标记的资源权限的游戏,使用的方法与以下问题的答案中描述的方法类似:

我一直在结合使用lambda函数来自动标记EC2实例,根据调用相关
EC2:RunInstances
操作的IAM用户设置
Owner
PrincipalId
。以下AWS博客文章中记录了我为此遵循的方法:

这两种方法的结合导致我对EC2的受限用户权限在我的CloudFormation模板中如下所示:

LimitedEC2Policy:
Type: "AWS::IAM::Policy"
Properties:
  PolicyName: UserLimitedEC2
  PolicyDocument:
    Version: 2012-10-17
    Statement:
      - Effect: Allow
        Action: ec2:RunInstances
        Resource:
          - !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:subnet/${PrivateSubnetA}'
          - !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:subnet/${PrivateSubnetB}'
          - !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:subnet/${PrivateSubnetC}'
          - !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:security-group/${BasicSSHAccessSecurityGroup.GroupId}'
          - !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:key-pair/${AuthorizedKeyPair}'
          - !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:network-interface/*'
          - !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:instance/*'
          - !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:volume/*'
          - !Sub 'arn:aws:ec2:${AWS::Region}::image/ami-*'
        Condition:
          StringLikeIfExists:
            ec2:Vpc: !Ref Vpc
          StringLikeIfExists:
            ec2:InstanceType: !Ref EC2AllowedInstanceTypes
      - Effect: Allow
        Action:
          - ec2:TerminateInstances
          - ec2:StopInstances
          - ec2:StartInstances
        Resource:
          - !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:instance/*'
        Condition:
          StringEquals:
            ec2:ResourceTag/Owner: !Ref UserName
  Users:
    - !Ref IAMUser

- Effect: Allow
    Action:
      - ec2:CreateTags
      - ec2:DeleteTags
    Resource:
      - !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:*/*'
    Condition:
      "ForAllValues:StringNotEquals":
        aws:TagKeys:
          - "Owner"
          - "PrincipalId"
这些IAM权限限制用户在单个VPC和安全组内的一组有限子网内运行EC2实例。然后,用户只能启动/停止/终止已在
Owner
标记中使用IAM用户标记的实例

我希望能够做到的是允许用户也在EC2资源上创建和删除任何附加标记,例如设置
Name
标记。我无法解决的是,我如何做到这一点,同时又不允许他们更改他们不“拥有”的资源上的
Owner
PrincipalId
标记

有没有方法可以限制
ec2:createTags
ec2:deletetetalgs
操作以防止用户设置某些标记?

在仔细阅读AWS ec2文档后,我发现如下内容:

这就是一个例子:

如果出现以下情况,请与
ForAllValues
修饰符一起使用以强制执行特定的标记键 它们在请求中提供(如果在 请求时,只允许使用特定的标记键;不允许使用其他标记 允许)。例如,标记键环境或成本中心是 允许的:

"ForAllValues:StringEquals": { "aws:TagKeys": ["environment","cost-center"] }
由于我想要实现的基本上与此相反(允许用户指定所有标记,特定标记键除外),因此我能够通过在我的CloudFormation模板中的用户策略中添加以下
PolicyDocument
语句来防止用户创建/删除所有者和PrincipalId标记:

LimitedEC2Policy:
Type: "AWS::IAM::Policy"
Properties:
  PolicyName: UserLimitedEC2
  PolicyDocument:
    Version: 2012-10-17
    Statement:
      - Effect: Allow
        Action: ec2:RunInstances
        Resource:
          - !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:subnet/${PrivateSubnetA}'
          - !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:subnet/${PrivateSubnetB}'
          - !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:subnet/${PrivateSubnetC}'
          - !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:security-group/${BasicSSHAccessSecurityGroup.GroupId}'
          - !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:key-pair/${AuthorizedKeyPair}'
          - !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:network-interface/*'
          - !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:instance/*'
          - !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:volume/*'
          - !Sub 'arn:aws:ec2:${AWS::Region}::image/ami-*'
        Condition:
          StringLikeIfExists:
            ec2:Vpc: !Ref Vpc
          StringLikeIfExists:
            ec2:InstanceType: !Ref EC2AllowedInstanceTypes
      - Effect: Allow
        Action:
          - ec2:TerminateInstances
          - ec2:StopInstances
          - ec2:StartInstances
        Resource:
          - !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:instance/*'
        Condition:
          StringEquals:
            ec2:ResourceTag/Owner: !Ref UserName
  Users:
    - !Ref IAMUser

- Effect: Allow
    Action:
      - ec2:CreateTags
      - ec2:DeleteTags
    Resource:
      - !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:*/*'
    Condition:
      "ForAllValues:StringNotEquals":
        aws:TagKeys:
          - "Owner"
          - "PrincipalId"
这允许用户创建/删除他们想要的任何标记,只要他们不是
所有者
PrincipalId