仅当请求包含特定标签时才允许 ec2:CreateSecurityGroup

问题描述 投票:0回答:0

我正在尝试编写 IAM 策略以确保资源(示例中的安全组)无法创建,除非它被标记为具有特定值的特定标签。

这是我的政策:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:Describe*",
                "ec2:GetConsole*",
                "ec2:CreateTags"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "ec2:CreateSecurityGroup",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:RequestTag/CreatedBy": "a_value"
                }
            }
        }
    ]
}

这里是网络控制台中的相关部分:

当我点击“创建安全组”时,我得到这个错误:

这里是解码错误:

{
    "allowed": false,
    "explicitDeny": false,
    "matchedStatements": {
        "items": []
    },
    "failures": {
        "items": []
    },
    "context": {
        "principal": {
            "id": "<redacted>",
            "name": "<redacted>",
            "arn": "<redacted>"
        },
        "action": "ec2:CreateSecurityGroup",
        "resource": "<redacted>",
        "conditions": {
            "items": [
                {
                    "key": "aws:Region",
                    "values": {
                        "items": [
                            {
                                "value": "eu-west-1"
                            }
                        ]
                    }
                },
                {
                    "key": "aws:Service",
                    "values": {
                        "items": [
                            {
                                "value": "ec2"
                            }
                        ]
                    }
                },
                {
                    "key": "aws:Resource",
                    "values": {
                        "items": [
                            {
                                "value": "<redacted>"
                            }
                        ]
                    }
                },
                {
                    "key": "aws:Type",
                    "values": {
                        "items": [
                            {
                                "value": "vpc"
                            }
                        ]
                    }
                },
                {
                    "key": "aws:Account",
                    "values": {
                        "items": [
                            {
                                "value": "<redacted>"
                            }
                        ]
                    }
                },
                {
                    "key": "ec2:Tenancy",
                    "values": {
                        "items": [
                            {
                                "value": "default"
                            }
                        ]
                    }
                },
                {
                    "key": "ec2:VpcID",
                    "values": {
                        "items": [
                            {
                                "value": "<redacted>"
                            }
                        ]
                    }
                },
                {
                    "key": "ec2:Region",
                    "values": {
                        "items": [
                            {
                                "value": "eu-west-1"
                            }
                        ]
                    }
                },
                {
                    "key": "aws:ARN",
                    "values": {
                        "items": [
                            {
                                "value": "<redacted>"
                            }
                        ]
                    }
                }
            ]
        }
    }
}

如果我删除

Condition
块,它就可以工作。有什么想法吗?

amazon-web-services amazon-iam aws-security-group aws-policies
最新问题
© www.soinside.com 2019 - 2024. All rights reserved.