我只允许用户在允许的子网中运行/停止ec2实例,但以下代码不起作用...
{
"Effect": "Allow",
"Action": [
"ec2:RunInstances",
"ec2:TerminateInstances",
"ec2:StopInstances",
"ec2:StartInstances",
"ec2:RunScheduledInstances",
"ec2:UnmonitorInstances"
],
"Resource": [
"*"
],
"Condition": {
"ForAnyValue:ArnEquals": {
"ec2:Subnet": [
"arn:aws:ec2:*:*:subnet/subnet-*******",
"arn:aws:ec2:*:*:subnet/subnet-*******",
"arn:aws:ec2:*:*:subnet/subnet-*******"
]
}
}
}
此策略将允许用户仅通过编程方式和通过控制台在特定子网中运行EC2实例:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:RunInstances",
"ec2:TerminateInstances",
"ec2:StopInstances",
"ec2:StartInstances",
"ec2:RunScheduledInstances",
"ec2:UnmonitorInstances"
],
"Resource": [
"arn:aws:ec2:*:*:subnet/subnet-******",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*::image/ami-*",
"arn:aws:ec2:*:*:key-pair/*",
"arn:aws:ec2:*:*:security-group/*"
]
}
]
}