限制启动实例的 Amazon IAM 用户策略

Posted

技术标签:

【中文标题】限制启动实例的 Amazon IAM 用户策略【英文标题】:Amazon IAM User Policy To Limit Launch Instances 【发布时间】:2015-08-23 17:51:13 【问题描述】:

我正在尝试创建一个用户策略来限制启动实例在特定区域和 t1.micro 类型,我尝试了几种解决方案,但到目前为止都没有工作。

即使这个不允许描述实例状态,我创建使用这个策略来启动实例但我不能使用 API 来描述它的状态,不确定是什么问题。任何帮助表示赞赏。


    "Version": "2012-10-17",
    "Statement": [
        
            "Sid": "..",
            "Effect": "Allow",
            "Action": [
                "ec2:*"
            ],
            "Resource": [
                "arn:aws:ec2:us-west-2:*:*"
            ]
        
    ]

【问题讨论】:

【参考方案1】:

我找到了this aws 文档,它解释了什么 api 不支持资源级别权限,为什么我的问题中的策略不起作用,在移动一些操作以使用 * 资源后,以下内容适用于我的案例: 


    "Version": "2012-10-17",
    "Statement": [
          // This allows viewing instances if user login to dashboard (does not include cloudwatch, you can add it if you want)
            "Effect": "Allow",
            "Action": [
                "ec2:Describe*"
            ],
            "Resource": "*"
        ,
           // Users are limited to starting instances that in west region, and only micro instances
            "Effect": "Allow",
            "Action": [
                "ec2:RunInstances",
                "ec2:StartInstances",
                "ec2:StopInstances",
                "ec2:TerminateInstances"
            ],
            "Resource": "arn:aws:ec2:us-west-2:*:instance/*",
            "Condition": 
                "StringEquals": 
                    "ec2:InstanceType": [
                        "t1.micro",
                        "t2.micro"
                    ]
                
            
        ,
           // allow user to launch instances using images in west region
            "Effect": "Allow",
            "Action": [
                "ec2:RunInstances"
            ],
            "Resource": [
                "arn:aws:ec2:us-west-2:*:image/ami-*",
                "arn:aws:ec2:us-west-2:*:subnet/*",
                "arn:aws:ec2:us-west-2:*:network-interface/*",
                "arn:aws:ec2:us-west-2:*:volume/*",
                "arn:aws:ec2:us-west-2:*:key-pair/*",
                "arn:aws:ec2:us-west-2:*:security-group/*"
            ]
        ,
            // these don't fall under resource-level permission, so they need to be separated in order to users to launch instances
            "Effect": "Allow",
            "Action": [
                "ec2:CreateSecurityGroup",
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:RevokeSecurityGroupEgress",
                "ec2:RevokeSecurityGroupIngress"
            ],
            "Resource": "*"
        ,
           // This also cannot have resource-level permission, allows user to create images from existing running instances
            "Effect": "Allow",
            "Action": [
                "ec2:CreateImage"
            ],
            "Resource": [
                "*"
            ]
        
    ]

希望这对其他人有所帮助。

【讨论】:

以上是关于限制启动实例的 Amazon IAM 用户策略的主要内容,如果未能解决你的问题,请参考以下文章

创建 AWS IAM 策略,将正在运行的实例限制为特定安全组

如何创建 IAM 策略以根据子网名称标签控制对 Amazon EC2 资源的访问?

IAM允许用户仅查看自己的实例

AWS:将 IAM 用户限制在 S3 存储桶中的特定文件夹

创建附加到用户的 IAM 策略,限制用户使用某些操作创建自定义托管策略

AWS IAM 策略:按用户/角色限制存储桶/文件夹访问?