AWS IAM:仅允许 IAM 用户更改 EC2 实例类型

use*_*095 5 amazon-ec2 amazon-web-services amazon-iam

我正在尝试编写一个策略,允许一组用户更改任何实例的实例类型,但不能更改其他属性。

我目前有:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1471613026000",
            "Effect": "Allow",
            "Action": [
                "ec2:ModifyInstanceAttribute"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}
Run Code Online (Sandbox Code Playgroud)

但这将允许他们更改任何实例的属性。有没有办法限制它只允许更改 instanceType 属性?

Ver*_*era 2

您可以使用条件限制可以编辑的属性:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1471613026000",
            "Effect": "Allow",
            "Action": [
                "ec2:ModifyInstanceAttribute"
            ],
            "Resource": [
                "*"
            ],
            "Condition": {
                "StringEquals": {
                    "ec2:Attribute": "InstanceType"
                }
            }
        }
    ]
}
Run Code Online (Sandbox Code Playgroud)

EC2 策略文档:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policy-struct.html#amazon-ec2-keys