Thl*_*ats 4 null policy key amazon-ec2 amazon-iam
我的政策文件的目标:
2 号按预期工作;但是,如果用户创建一个标签为空的 EC2 实例或只是忘记添加它,该策略仍然允许用户创建该实例。
我尝试了 null 运算符(在此处引用),但它似乎不起作用。
另一种尝试是使用匹配 aws:tag-keys 值的条件(在此处引用),但它似乎仅在使用 StringLike 比较运算符检查单个值时才有效
这是 Lambda 函数关闭开发实例的先决条件。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RequireEnvTags",
"Effect": "Deny",
"Action": [
"ec2:RunInstances"
],
"Condition": {
"ForAnyValue:StringNotEquals": {
"ec2:ResourceTag/env": [
"dev",
"stg",
"prd",
"dev-noshutdown"
]
}
},
"Resource": [
"*"
]
},
{
"Sid": "RequireDataSensitivity1",
"Effect": "Deny",
"Action": [
"ec2:RunInstances"
],
"Condition": {
"ForAnyValue:StringNotEquals": {
"ec2:ResourceTag/data-sensitivity": [
"public",
"internal",
"confidential",
"highly confidential"
]
}
},
"Resource": [
"*"
]
},
{
"Sid": "NullChecksDontSeemToWork0",
"Effect": "Deny",
"Action": [
"ec2:RunInstances"
],
"Condition": {
"Null": {
"ec2:ResourceTag/Name": "true"
}
},
"Resource": [
"*"
]
},
{
"Sid": "NullChecksDontSeemToWork1",
"Effect": "Deny",
"Action": [
"ec2:RunInstances"
],
"Condition": {
"Null": {
"ec2:ResourceTag/team": "true"
}
},
"Resource": [
"*"
]
}
]
}
在处理完这个之后,我发现它只需要稍微调整一下。出于某种原因,AWS 需要在同一策略文档中明确允许操作(即使附加到同一用户的另一个策略文档明确声明允许),AWS 才能正确实施预期策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:*::image/ami-*",
"arn:aws:ec2:*:ACCOUNT_ID:subnet/*",
"arn:aws:ec2:*:ACCOUNT_ID:network-interface/*",
"arn:aws:ec2:*:ACCOUNT_ID:volume/*",
"arn:aws:ec2:*:ACCOUNT_ID:key-pair/*",
"arn:aws:ec2:*:ACCOUNT_ID:security-group/*"
],
"Sid": "AllowRunInstances"
},
{
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:*:ACCOUNT_ID:instance/*",
"Condition": {
"StringNotLike": {
"aws:RequestTag/env": [
"dev",
"stg",
"prd",
"dev-noshutdown",
"trn",
"tst"
]
}
},
"Sid": "RequireSpecificEnvTags"
}
]
}
它有效!
快速说明:目前此政策似乎不允许创建 Spot 实例(因为 Spot 请求处理标签的方式不同)。我向 AWS 提交了功能请求。
| 归档时间: |
|
| 查看次数: |
3339 次 |
| 最近记录: |