如何在IAM策略中限制ec2:RunInstances的EC2 EBS卷大小?

问题描述 投票:0回答:1

我现在的IAM策略能够限制实例类型,但我还希望能够将EBS卷大小限制在某个值以下。我如何修改以下JSON IAM策略?我最好想要一些“条件”:“IntegerLessThanOrEquals”,但手动指定每个数字是可以接受的,因为我需要将它限制为10 GiB。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AdminPermissions",
            "Effect": "Allow",
            "Action": [
                "ssm:SendCommand",
                "ssm:GetCommandInvocation",
                "ec2:StopInstances",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeNetworkInterfaces",
                "ec2:CreateTags"
            ],
            "Resource": "*"
        },
        {
            "Sid": "RunInstanceResourcePermissions",
            "Effect": "Allow",
            "Action": [
                "ec2:RunInstances"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:network-interface/*",
                "arn:aws:ec2:*:*:security-group/*",
                "arn:aws:ec2:*:*:subnet/*",
                "arn:aws:ec2:*:*:volume/*",
                "arn:aws:ec2:*::image/*"
            ]
        },
        {
            "Sid": "LimitInstanceTypes",
            "Effect": "Allow",
            "Action": [
                "ec2:RunInstances"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:instance/*"
            ],
            "Condition": {
                "StringEquals": {
                    "ec2:InstanceType": [
                        "t2.nano",
                        "t2.micro",
                        "t2.small",
                        "t2.medium"
                    ]
                }
            }
        }
    ]
}

Edit: Answer

这是我得到的解决方案。语句“LimitInstanceVolumeSize”是新的,资源“arn:aws:ec2 ::: volume / *”被移动到它。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AdminPermissions",
            "Effect": "Allow",
            "Action": [
                "ssm:SendCommand",
                "ssm:GetCommandInvocation",
                "ec2:StopInstances",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeNetworkInterfaces",
                "ec2:CreateTags"
            ],
            "Resource": "*"
        },
        {
            "Sid": "RunInstanceResourcePermissions",
            "Effect": "Allow",
            "Action": [
                "ec2:RunInstances"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:network-interface/*",
                "arn:aws:ec2:*:*:security-group/*",
                "arn:aws:ec2:*:*:subnet/*",
                "arn:aws:ec2:*::image/*"
            ]
        },
        {
            "Sid": "LimitInstanceVolumeSize",
            "Effect": "Allow",
            "Action": [
                "ec2:RunInstances"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:volume/*"
            ],
            "Condition": {
                "NumericLessThanEquals": {
                    "ec2:VolumeSize": "16"
                }
            }
        },
        {
            "Sid": "LimitInstanceTypes",
            "Effect": "Allow",
            "Action": [
                "ec2:RunInstances"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:instance/*"
            ],
            "Condition": {
                "StringEquals": {
                    "ec2:InstanceType": [
                        "t2.nano",
                        "t2.micro",
                        "t2.small",
                        "t2.medium"
                    ]
                }
            }
        }
    ]
}
amazon-web-services amazon-ec2 amazon-iam
1个回答
1
投票

您可以通过使用Condition键ec2:VolumeSize来实现这一目标,资源将是arn:aws:ec2:region:account:volume/*,API Action将是AttachVolume

谢谢

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.