Warning: file_get_contents(/data/phpspider/zhask/data//catemap/1/amazon-web-services/14.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
Amazon web services 如何对“拒绝”应用拒绝策略;标签:UntagResources";AWS中的行动_Amazon Web Services_Amazon S3_Amazon Ec2_Aws Policies_Aws Resource Group - Fatal编程技术网
Fatal编程技术网
  • amazon-web-services/
  • Amazon web services 如何对“拒绝”应用拒绝策略;标签:UntagResources";AWS中的行动

Amazon web services 如何对“拒绝”应用拒绝策略;标签:UntagResources";AWS中的行动

amazon-web-services amazon-s3 amazon-ec2

Amazon web services 如何对“拒绝”应用拒绝策略;标签:UntagResources";AWS中的行动,amazon-web-services,amazon-s3,amazon-ec2,aws-policies,aws-resource-group,Amazon Web Services,Amazon S3,Amazon Ec2,Aws Policies,Aws Resource Group,我有这个策略,它应该防止用户从AWS中的任何资源中删除标记。但标记仍在从资源中删除 { "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:Delete*", "s3:Delete*",

我有这个策略,它应该防止用户从AWS中的任何资源中删除标记。但标记仍在从资源中删除

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "ec2:Delete*",
                "s3:Delete*",
                "s3:ReplicateTags",
                "iam:Untag*",
                "tag:UntagResources"
            ],
            "Effect": "Deny",
            "Resource": "*"
        },
        {
            "Action": [
                "s3:Create*",
                "s3:Describe*",
                "s3:Get*",
                "s3:List*",
                "s3:Put*",
                "s3:Update*",
                "s3:Replicate*",
                "s3:RestoreObject",
                "s3:ObjectOwnerOverrideToBucketOwner"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "ec2:Create*",
                "ec2:Describe*",
                "ec2:Get*",
                "ec2:Modify*",
                "ec2:StartInstances",
                "ec2:StopInstances"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "iam:Tag*",
                "tag:TagResources",
                "tag:GetResources"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "iam:Untag*",
                "tag:UntagResources"
            ],
            "Effect": "Deny",
            "Resource": "*"
        }
    ]
}
由于我是AWS的新手,我不知道出了什么问题。其他权限可以正常工作。只是取消标记不起作用。如何拒绝未标记资源?提前谢谢

如何使
标记:UntagResources
工作?

一种方法是使用IAM创建策略可视化编辑器。键入您感兴趣的服务(如S3),然后在“操作搜索”对话框中搜索“标记”以查找您想要拒绝的所有相关操作。使用“切换到拒绝权限”链接使其成为拒绝语句。然后选择“所有资源”作为“资源”。最后,切换到JSON选项卡,以查看结果语句

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "VisualEditor0",
        "Effect": "Allow",
        "Action": [
            "s3:DeleteObjectTagging",
            "s3:DeleteJobTagging",
            "s3:DeleteStorageLensConfigurationTagging",
            "s3:DeleteObjectVersionTagging"
        ],
        "Resource": "*"
    }
]
}

然后,您可以对要禁用标记的每个服务重复此过程,以创建多个策略语句。

我没有时间写完整的答案,但简短的回答是标记API是特定于服务的。因此
iam:Untag*
将只适用于由iam管理的资源,如用户,而不适用于资源,如EC2实例。那么我需要做什么才能做到这一点呢?非常感谢你的时间和努力@格雷戈里