Amazon web services 如何对“拒绝”应用拒绝策略;标签:UntagResources";AWS中的行动
我有这个策略,它应该防止用户从AWS中的任何资源中删除标记。但标记仍在从资源中删除Amazon web services 如何对“拒绝”应用拒绝策略;标签:UntagResources";AWS中的行动,amazon-web-services,amazon-s3,amazon-ec2,aws-policies,aws-resource-group,Amazon Web Services,Amazon S3,Amazon Ec2,Aws Policies,Aws Resource Group,我有这个策略,它应该防止用户从AWS中的任何资源中删除标记。但标记仍在从资源中删除 { "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:Delete*", "s3:Delete*",
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:Delete*",
"s3:Delete*",
"s3:ReplicateTags",
"iam:Untag*",
"tag:UntagResources"
],
"Effect": "Deny",
"Resource": "*"
},
{
"Action": [
"s3:Create*",
"s3:Describe*",
"s3:Get*",
"s3:List*",
"s3:Put*",
"s3:Update*",
"s3:Replicate*",
"s3:RestoreObject",
"s3:ObjectOwnerOverrideToBucketOwner"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ec2:Create*",
"ec2:Describe*",
"ec2:Get*",
"ec2:Modify*",
"ec2:StartInstances",
"ec2:StopInstances"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"iam:Tag*",
"tag:TagResources",
"tag:GetResources"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"iam:Untag*",
"tag:UntagResources"
],
"Effect": "Deny",
"Resource": "*"
}
]
}
由于我是AWS的新手,我不知道出了什么问题。其他权限可以正常工作。只是取消标记不起作用。如何拒绝未标记资源?提前谢谢
如何使
标记:UntagResources
工作?一种方法是使用IAM创建策略可视化编辑器。键入您感兴趣的服务(如S3),然后在“操作搜索”对话框中搜索“标记”以查找您想要拒绝的所有相关操作。使用“切换到拒绝权限”链接使其成为拒绝语句。然后选择“所有资源”作为“资源”。最后,切换到JSON选项卡,以查看结果语句
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:DeleteObjectTagging",
"s3:DeleteJobTagging",
"s3:DeleteStorageLensConfigurationTagging",
"s3:DeleteObjectVersionTagging"
],
"Resource": "*"
}
]
}
然后,您可以对要禁用标记的每个服务重复此过程,以创建多个策略语句。我没有时间写完整的答案,但简短的回答是标记API是特定于服务的。因此
iam:Untag*
将只适用于由iam管理的资源,如用户,而不适用于资源,如EC2实例。那么我需要做什么才能做到这一点呢?非常感谢你的时间和努力@格雷戈里