【发布时间】:2022-11-16 14:35:16
【问题描述】:
我希望能够限制ec2:*操作(特别是ec2:RunInstances) 仅在特定的 AWS 帐户中,并防止它们针对具有专用标签的现有 ec2 实例。
我有以下政策:
{
"Sid": "EC2InfraAccess",
"Effect": "Allow",
"Action": [
"ec2:*"
],
"Resource": [
"*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": [
"111111111111"
]
},
"StringNotEquals": {
"aws:ResourceTag/cluster": [
"team-prod-eks",
"team-stage-eks"
]
}
}
}
所以我希望用户能够执行 ec2:RunInstances 但无法对两个 kubernetes 集群的节点执行任何 ec2:* 操作。
帐户111111111111 中的资源确实有标签cluster=team-prod-eks 或cluster=team-stage-eks。
我需要用户能够创建新的EC2无法对与这 2 个 eks 集群关联的节点执行任何操作的实例。
但它不起作用,我收到:
Error: creating EC2 instance: UnauthorizedOperation:
You are not authorized to perform this operation. Encoded authorization failure message....
解码后的消息是这样的:
{
"allowed": false,
"explicitDeny": false,
"matchedStatements": {
"items": []
},
"failures": {
"items": []
},
"context": {
"principal": {
"id": "AROA6BMT6GMYSAV3BDPVI:UserName",
"arn": "arn:aws:sts::111111111:assumed-role/AWSReservedSSO_role_5fbf1098ce7e652e/UserName"
},
"action": "ec2:RunInstances",
"resource": "arn:aws:ec2:us-west-2::image/ami-0c12b5d624d73f1c0",
"conditions": {
"items": [
{
"key": "ec2:ImageID",
"values": {
"items": [
{
"value": "ami-0c12b5d624d73f1c0"
}
]
}
},
{
"key": "ec2:ImageType",
"values": {
"items": [
{
"value": "machine"
}
]
}
},
{
"key": "aws:Resource",
"values": {
"items": [
{
"value": "image/ami-0c12b5d624d73f1c0"
}
]
}
},
{
"key": "aws:Account",
"values": {
"items": [
{
"value": "801119661308"
}
]
}
},
{
"key": "ec2:IsLaunchTemplateResource",
"values": {
"items": [
{
"value": "false"
}
]
}
},
{
"key": "ec2:RootDeviceType",
"values": {
"items": [
{
"value": "ebs"
}
]
}
},
{
"key": "aws:Region",
"values": {
"items": [
{
"value": "us-west-2"
}
]
}
},
{
"key": "aws:Service",
"values": {
"items": [
{
"value": "ec2"
}
]
}
},
{
"key": "ec2:Owner",
"values": {
"items": [
{
"value": "amazon"
}
]
}
},
{
"key": "ec2:Public",
"values": {
"items": [
{
"value": "true"
}
]
}
},
{
"key": "aws:Type",
"values": {
"items": [
{
"value": "image"
}
]
}
},
{
"key": "ec2:Region",
"values": {
"items": [
{
"value": "us-west-2"
}
]
}
},
{
"key": "aws:ARN",
"values": {
"items": [
{
"value": "arn:aws:ec2:us-west-2::image/ami-0c12b5d624d73f1c0"
}
]
}
}
]
}
}
}
那么如何编写适当的策略,以便他们可以在具有任何 AMI ID 的特定帐户中运行实例?
"action": "ec2:RunInstances",
"resource": "arn:aws:ec2:us-west-2::image/ami-0c12b5d624d73f1c0",
【问题讨论】:
标签: amazon-web-services aws-policies