Gar*_*aid 5 amazon-vpc amazon-iam
我想创建一个 IAM 策略,允许用户按如下方式部署实例:
此场景在此处的 VPC 文档中得到解决(示例 4):
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_IAM.html#subnet-sg-example-iam
我已经尝试过我自己的策略版本:
{
"Version": "2012-10-17",
"Statement":[{
"Effect":"Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:eu-west-1:937821706121:image/ami-141ac363",
"arn:aws:ec2:eu-west-1:937821706121:subnet/subnet-733de516",
"arn:aws:ec2:eu-west-1:937821706121:network-interface/*",
"arn:aws:ec2:eu-west-1:937821706121:volume/*",
"arn:aws:ec2:eu-west-1:937821706121:key-pair/*",
"arn:aws:ec2:eu-west-1:937821706121:security-group/sg-4aa80f2f"
]
}]
}
它不起作用。当我尝试以应用此策略的组成员的用户身份部署实例时,我的权限被拒绝。我是否需要包含其他一些策略以允许以这种方式部署实例?
基本上,除了设置全局管理员或只读策略之外,IAM 文档在执行任何其他操作时完全不可靠。
这是我最终开始工作的策略(至少对于子网位):
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:eu-west-1:937821706121:network-interface/*"
],
"Condition": {
"ArnNotEquals": {
"ec2:Subnet": "arn:aws:ec2:eu-west-1:937821706121:subnet/subnet-733de516"
}
}
},
{
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:eu-west-1::image/ami-*",
"arn:aws:ec2:eu-west-1:937821706121:network-interface/*",
"arn:aws:ec2:eu-west-1:937821706121:instance/*",
"arn:aws:ec2:eu-west-1:937821706121:subnet/*",
"arn:aws:ec2:eu-west-1:937821706121:volume/*",
"arn:aws:ec2:eu-west-1:937821706121:key-pair/*",
"arn:aws:ec2:eu-west-1:937821706121:security-group/*"
]
}
]
}
这需要大量的试验和错误。
基本上,当您想根据特定资源限制用户时,您需要创建一个语句,首先拒绝运行实例的能力,除非特定 arn 资源满足条件,然后最后允许它们做任何事情。
更新:
亚马逊承认他们的文档不准确:
https://forums.aws.amazon.com/thread.jspa?threadID=160287&tstart=0
| 归档时间: |
|
| 查看次数: |
4940 次 |
| 最近记录: |