Amazon web services 如何使IAM用户在EC2中受标记限制的资源级别权限限制时设置名称和其他自定义标记
我一直在玩EC2中配置基于标记的资源权限的游戏,使用的方法与以下问题的答案中描述的方法类似: 我一直在结合使用lambda函数来自动标记EC2实例,根据调用相关Amazon web services 如何使IAM用户在EC2中受标记限制的资源级别权限限制时设置名称和其他自定义标记,amazon-web-services,amazon-ec2,yaml,amazon-cloudformation,amazon-iam,Amazon Web Services,Amazon Ec2,Yaml,Amazon Cloudformation,Amazon Iam,我一直在玩EC2中配置基于标记的资源权限的游戏,使用的方法与以下问题的答案中描述的方法类似: 我一直在结合使用lambda函数来自动标记EC2实例,根据调用相关EC2:RunInstances操作的IAM用户设置Owner和PrincipalId。以下AWS博客文章中记录了我为此遵循的方法: 这两种方法的结合导致我对EC2的受限用户权限在我的CloudFormation模板中如下所示: LimitedEC2Policy: Type: "AWS::IAM::Policy" Properties:
EC2:RunInstances
操作的IAM用户设置Owner
和PrincipalId
。以下AWS博客文章中记录了我为此遵循的方法:
这两种方法的结合导致我对EC2的受限用户权限在我的CloudFormation模板中如下所示:
LimitedEC2Policy:
Type: "AWS::IAM::Policy"
Properties:
PolicyName: UserLimitedEC2
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action: ec2:RunInstances
Resource:
- !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:subnet/${PrivateSubnetA}'
- !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:subnet/${PrivateSubnetB}'
- !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:subnet/${PrivateSubnetC}'
- !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:security-group/${BasicSSHAccessSecurityGroup.GroupId}'
- !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:key-pair/${AuthorizedKeyPair}'
- !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:network-interface/*'
- !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:instance/*'
- !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:volume/*'
- !Sub 'arn:aws:ec2:${AWS::Region}::image/ami-*'
Condition:
StringLikeIfExists:
ec2:Vpc: !Ref Vpc
StringLikeIfExists:
ec2:InstanceType: !Ref EC2AllowedInstanceTypes
- Effect: Allow
Action:
- ec2:TerminateInstances
- ec2:StopInstances
- ec2:StartInstances
Resource:
- !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:instance/*'
Condition:
StringEquals:
ec2:ResourceTag/Owner: !Ref UserName
Users:
- !Ref IAMUser
- Effect: Allow
Action:
- ec2:CreateTags
- ec2:DeleteTags
Resource:
- !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:*/*'
Condition:
"ForAllValues:StringNotEquals":
aws:TagKeys:
- "Owner"
- "PrincipalId"
这些IAM权限限制用户在单个VPC和安全组内的一组有限子网内运行EC2实例。然后,用户只能启动/停止/终止已在Owner
标记中使用IAM用户标记的实例
我希望能够做到的是允许用户也在EC2资源上创建和删除任何附加标记,例如设置Name
标记。我无法解决的是,我如何做到这一点,同时又不允许他们更改他们不“拥有”的资源上的Owner
和PrincipalId
标记
有没有方法可以限制
ec2:createTags
和ec2:deletetetalgs
操作以防止用户设置某些标记?在仔细阅读AWS ec2文档后,我发现如下内容:
这就是一个例子:
如果出现以下情况,请与ForAllValues
修饰符一起使用以强制执行特定的标记键
它们在请求中提供(如果在
请求时,只允许使用特定的标记键;不允许使用其他标记
允许)。例如,标记键环境或成本中心是
允许的:
"ForAllValues:StringEquals": { "aws:TagKeys": ["environment","cost-center"] }
由于我想要实现的基本上与此相反(允许用户指定所有标记,特定标记键除外),因此我能够通过在我的CloudFormation模板中的用户策略中添加以下PolicyDocument
语句来防止用户创建/删除所有者和PrincipalId标记:
LimitedEC2Policy:
Type: "AWS::IAM::Policy"
Properties:
PolicyName: UserLimitedEC2
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action: ec2:RunInstances
Resource:
- !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:subnet/${PrivateSubnetA}'
- !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:subnet/${PrivateSubnetB}'
- !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:subnet/${PrivateSubnetC}'
- !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:security-group/${BasicSSHAccessSecurityGroup.GroupId}'
- !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:key-pair/${AuthorizedKeyPair}'
- !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:network-interface/*'
- !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:instance/*'
- !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:volume/*'
- !Sub 'arn:aws:ec2:${AWS::Region}::image/ami-*'
Condition:
StringLikeIfExists:
ec2:Vpc: !Ref Vpc
StringLikeIfExists:
ec2:InstanceType: !Ref EC2AllowedInstanceTypes
- Effect: Allow
Action:
- ec2:TerminateInstances
- ec2:StopInstances
- ec2:StartInstances
Resource:
- !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:instance/*'
Condition:
StringEquals:
ec2:ResourceTag/Owner: !Ref UserName
Users:
- !Ref IAMUser
- Effect: Allow
Action:
- ec2:CreateTags
- ec2:DeleteTags
Resource:
- !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:*/*'
Condition:
"ForAllValues:StringNotEquals":
aws:TagKeys:
- "Owner"
- "PrincipalId"
这允许用户创建/删除他们想要的任何标记,只要他们不是所有者
或PrincipalId