我正在尝试编写 IAM 策略以确保资源(示例中的安全组)无法创建,除非它被标记为具有特定值的特定标签。
这是我的政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"ec2:GetConsole*",
"ec2:CreateTags"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ec2:CreateSecurityGroup",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestTag/CreatedBy": "a_value"
}
}
}
]
}
这里是网络控制台中的相关部分:
当我点击“创建安全组”时,我得到这个错误:
这里是解码错误:
{
"allowed": false,
"explicitDeny": false,
"matchedStatements": {
"items": []
},
"failures": {
"items": []
},
"context": {
"principal": {
"id": "<redacted>",
"name": "<redacted>",
"arn": "<redacted>"
},
"action": "ec2:CreateSecurityGroup",
"resource": "<redacted>",
"conditions": {
"items": [
{
"key": "aws:Region",
"values": {
"items": [
{
"value": "eu-west-1"
}
]
}
},
{
"key": "aws:Service",
"values": {
"items": [
{
"value": "ec2"
}
]
}
},
{
"key": "aws:Resource",
"values": {
"items": [
{
"value": "<redacted>"
}
]
}
},
{
"key": "aws:Type",
"values": {
"items": [
{
"value": "vpc"
}
]
}
},
{
"key": "aws:Account",
"values": {
"items": [
{
"value": "<redacted>"
}
]
}
},
{
"key": "ec2:Tenancy",
"values": {
"items": [
{
"value": "default"
}
]
}
},
{
"key": "ec2:VpcID",
"values": {
"items": [
{
"value": "<redacted>"
}
]
}
},
{
"key": "ec2:Region",
"values": {
"items": [
{
"value": "eu-west-1"
}
]
}
},
{
"key": "aws:ARN",
"values": {
"items": [
{
"value": "<redacted>"
}
]
}
}
]
}
}
}
如果我删除
Condition
块,它就可以工作。有什么想法吗?