在ec2中强制标记

问题描述 投票:0回答:1

创建了一个IAM策略,该策略应该限制用户现在允许在不满足标记值时创建ec2实例

{“Version”:“2012-10-17”,“Statement”:[{“Sid”:“AllowToDescribeAll”,“Effect”:“Allow”,“Action”:[“ec2:Describe *”],“Resource” “:”“},{”Sid“:”AllowRunInstances“,”Effect“:”Allow“,”Action“:”ec2:RunInstances“,”Resource“:[”arn:aws:ec2 ::: image /“ ,“arn:aws:ec2 ::: snapshot /”,“arn:aws:ec2 ::: subnet /”,“arn:aws:ec2 ::: network-interface /”,“arn:aws:ec2 :: :security-group /“,”arn:aws:ec2 ::: key-pair /“]},{”Sid“:”AllowRunInstancesWithRestrictions“,”Effect“:”Allow“,”Action“:[”ec2:CreateVolume “,”ec2:RunInstances“],”资源“:[”arn:aws:ec2 ::: volume /“,”arn:aws:ec2 ::: instance /“],”条件“:{”StringEquals“: {“aws:RequestTag / shutdown”:“true”,“aws:RequestTag / terminate”:“true”},“ForAllValues:StringEquals”:{“aws:TagKeys”:[“shutdown”,“terminate”]}} },{“Sid”:“AllowCreateTagsOnlyLaunching”,“Effect”:“Allow”,“Action”:[“ec2:CreateTags”],“Resource”:[“arn:aws:ec2 ::: volume /”,“ arn:aws:ec2 ::: instance / *“],”Condition“:{”StringEquals“:{”ec2:CreateAction“:”R unInstances“}}}]}

amazon-ec2 tags
1个回答
0
投票

请查看https://policysim.aws.amazon.com/home/index.jsp?#的政策模拟器

通过以下策略,我可以确认它是否有效:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowToDescribeAll",
            "Effect": "Allow",
            "Action": [
                "ec2:Describe*"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowRunInstances",
            "Effect": "Allow",
            "Action": "ec2:RunInstances",
            "Resource": [
                "arn:aws:ec2:*::image/*",
                "arn:aws:ec2:*::snapshot/*",
                "arn:aws:ec2:*:*:subnet/*",
                "arn:aws:ec2:*:*:network-interface/*",
                "arn:aws:ec2:*:*:security-group/*",
                "arn:aws:ec2:*:*:key-pair/*"
            ]
        },
        {
            "Sid": "AllowRunInstancesWithRestrictions",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateVolume",
                "ec2:RunInstances"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:volume/*",
                "arn:aws:ec2:*:*:instance/*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:RequestTag/terminate": "true",
                    "aws:RequestTag/shutdown": "true"
                },
                "ForAllValues:StringEquals": {
                    "aws:TagKeys": [
                        "terminate",
                        "shutdown"
                    ]
                }
            }
        },
        {
            "Sid": "AllowCreateTagsOnlyLaunching",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateTags"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:volume/*",
                "arn:aws:ec2:*:*:instance/*"
            ],
            "Condition": {
                "StringEquals": {
                    "ec2:CreateAction": "RunInstances"
                }
            }
        }
    ]
}

enter image description here

enter image description here

enter image description here

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.