use*_*095 5 amazon-ec2 amazon-web-services amazon-iam
我正在尝试编写一个策略,允许一组用户更改任何实例的实例类型,但不能更改其他属性。
我目前有:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1471613026000",
"Effect": "Allow",
"Action": [
"ec2:ModifyInstanceAttribute"
],
"Resource": [
"*"
]
}
]
}
Run Code Online (Sandbox Code Playgroud)
但这将允许他们更改任何实例的属性。有没有办法限制它只允许更改 instanceType 属性?
您可以使用条件限制可以编辑的属性:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1471613026000",
"Effect": "Allow",
"Action": [
"ec2:ModifyInstanceAttribute"
],
"Resource": [
"*"
],
"Condition": {
"StringEquals": {
"ec2:Attribute": "InstanceType"
}
}
}
]
}
Run Code Online (Sandbox Code Playgroud)
EC2 策略文档:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policy-struct.html#amazon-ec2-keys