我正在编写IAM策略以部署EC2实例,我不想授予EC2完全访问权限。遵循最小特权原则,设置EC2实例需要什么权限
取决于您是否希望他们从控制台或CLI享用午餐。
对于控制台,根据docs,以下策略适用:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeImages",
"ec2:DescribeKeyPairs",
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:CreateSecurityGroup",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateKeyPair"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": "*"
}
]
}
对于CLI,策略显示为here。