未经授权从共享私有 AMI 运行 ec2 实例

【问题标题】:Unauthorized to ec2 run-instances from shared private AMI未经授权从共享私有 AMI 运行 ec2 实例
【发布时间】:2021-03-13 13:10:08
【问题描述】:

我在账户 183136277722 上创建了 AMI。我将它分享给了账户 574616038232。 我创建了 iam 策略以便能够运行此 AMI:

            "Condition": {
                "StringEquals": {
                    "ec2:Owner": [
                        "183136277722"
                    ]
                }
            },
            "Action": [
                "ec2:RunInstances"
            ],
            "Resource": "arn:aws:ec2:eu-west-1::image/ami-*",
            "Effect": "Allow",
            "Sid": "RunSharedAmi"
        }

当我登录帐户 574616038232 时尝试从 AMI 启动 ec2 时,我收到错误消息:

An error occurred (UnauthorizedOperation) when calling the RunInstances operation: You are not authorized to perform this operation. Encoded authorization failure message: Eq8rCjogNsPD8Rw45V5f7XHeFSTJ8ddXbHdtpWw7AJnEeGMVuOtk1VBe-Z1fR3ONRjcxcJEafrwaVZdyeUjw-ZNGwmDjDN3DyEysimEMNX9TQhcEhaIpUBpSrBXZutEb6cR1n5JVNak9zrcJRiuQhkJybpsPFE80epCoXJlIakq2kYk8uS8no2p28ujo0dLi4GJ63Dlq32zReA338ksB1quGfKX7HVultbfdnOAPkKih_A3HjEs59yMpZZ-l0ngtcLL6yzAcxhocQPe15nyu9S96I-8uI9hmR7HnEE24Aa9qJaj0ZiT57NFckkhVojsWmmsN8XWh02g8P1gSfyyHfPmFj9E2khxGZ9Vvc-oglx6gKbU7XHzlsOygouTD8uNutQS7OFaK_8TIKmAgYHP-CQ_AFk-X1zAbYMhs9TNt3pOu5Gz1xYKnrYUWQetf6gWmyVsQ6ioFMW9fKfFjLPrtQMtLtXqtYuteHSXt6LAWH4ZN5yJOWbHiC9ymoV05GG1UjsrNxlCU5KuS8Nhewfwefefewfwefwefewqwdwd34r23fdsacf23fv32HawKZF0bX-uXLJVSGsAV5MOk1zw6k3_Gwi7Y-ZY-1b7kmGMhYy9rjMLJvw8Q6NjOgQuHyfpeFTodgsX4A0kEuuQMf2hBcaAYCGJbHXnHGh0-5ZMHvinGNbfKtLw7gW_Hb1pmR0ujVDM2GDcdglOu99fT79zWaO9wt1jrzCUgiieIjrQhlEiaQI3uQf5idoGOovpT4EM5wR3vOIDchZqCZozndA8I-lSYS7X3wrFK0EhNq1h_X1mqSVoYUKsUVrgO6XtU2NSpeDsbEVlpjRBb4MOfDSgPumVDM_AlYnil67kFq7fv8aWVzD8cLBmYVDdKjpzrIbxDM2n04q0sAvygQbGForj791uF8SksMM-2J0N7ue5JbtbCbOsVZS9HKOMq5fOAk41wUSL5LuFQKUBEDs3vaHqzh7BUQ3vt4P7CTGsG8Vyp3yva-vd8S0HE1y0zuSTsv65XnqVSQDyZ_ZAEm6cqyBdwz2L3ZGO-_HV_AH

我解码消息并得到

{ "DecodedMessage": "{"allowed":false,"explicitDeny":true,"matchedStatements":{"items":[{"statementId":"AllowLaunchOnlyFromApprovedImages","effect":"DENY","principals":{ "items":[{"value":"AROCDLSOI5ZZM7QIFOITO"}]},"principalGroups":{"items":[]},"actions":{"items":[{"value":"ec2:RunInstances" }]},"resources":{"items":[{"value":"arn:aws:ec2:eu-west-1::image/ami-*"}]},"conditions":{"items ":[{"key":"ec2:Owner","values":{"items":[{"value":"277688789493"},{"value":"amazon"},{"value":" aws-marketplace"},{"value":"737859062117"},{"value":"394136139437"},{"value":"851093456999"},{"value":"335031091084"},{"value" :"207456136159"},{"value":"028557712108"},{"value":"164996153968"},{"value":"533600275369"},{"value":"930136447543"},{"value" :"658312218119"},{"value":"687831498517"},{"value":"201245860548"},{"value":"574616038232"},{"value":"493917785438"},{"value" :"378058653094"},{"value":"901455435209"},{"value":"652668783151"},{"value":"988201728534"},{"value":"669990426999"},{"value" :"142986109290"},{"价值”:“679593333241”},{“价值”:“309956199498”},{“价值”:“602401143452”},{“价值”:“379101102735”},{“价值”:“504948279284”},{“值":"951854665038"}]}}]}}]},"失败":{"items":[]},"context":{"principal":{"id":"AROCDLSOI5ZZM7QIFOITO:503217544"," arn":"arn:aws:sts::574616038232:assumed-role/hc-mobil-devops/503217544"},"action":"ec2:RunInstances","re​​source":"arn:aws:ec2:eu- west-1::image/ami-088a17ca0987e0186","conditions":{"items":[{"key":"ec2:ImageID","values":{"items":[{"value":"ami -088a17ca0987e0186"}]}},{"key":"ec2:ImageType","values":{"items":[{"value":"machine"}]}},{"key":"aws:资源","values":{"items":[{"value":"image/ami-088a17ca0987e0186"}]}},{"key":"aws:Account","values":{"items": [{"value":"574616038232"}]}},{"key":"ec2:IsLaunchTemplateResource","values":{"items":[{"value":"false"}]}},{" key":"ec2:RootDeviceType","values":{"items":[{"value":"ebs"}]}},{"key":"aws:Region","values":{"items ":[{"value":"eu-west-1"}]}},{"key":"aws:Service","values":{"items":[{"value":"ec2"} ]}},{“钥匙”: "ec2:Owner","values":{"items":[{"value":"183136277722"}]}},{"key":"ec2:Public","values":{"items":[ {"value":"false"}]}},{"key":"aws:Type","values":{"items":[{"value":"image"}]}},{"key ":"ec2:Region","values":{"items":[{"value":"eu-west-1"}]}},{"key":"aws:ARN","values": {"items":[{"value":"arn:aws:ec2:eu-west-1::image/ami-088a17ca0987e0186"}]}}]}}}"

为什么它不起作用?我错过了一些政策/权限吗?

【问题讨论】:

  • 您是否检查过是否是 Aws 区域导致了问题?
  • 显示 IAM 策略的 sn-p 不足以确定该策略是否导致您的问题。您的政策是否有声明 ID“AllowLaunchOnlyFromApprovedImages”?如果不是,那么您的环境中还有其他东西明确拒绝了该请求。也许是服务控制策略。
  • 不,这不是地区问题。我没有声明 ID 为“AllowLaunchOnlyFromApprovedImages”的政策。您的意思是上面的某些东西阻止了我从不同所有者的 AMI 创建 ec2 的访问权限?

标签: amazon-web-services amazon-ec2 amazon-ami unauthorized


【解决方案1】:

您需要授予对更多Resources 的访问权限,以允许ec2:RunInstances 调用成功。这是一个有用的帖子,包含最低限度的政策:Minimal IAM policy for ec2:RunInstances

【讨论】:

  • 我已经添加了另一个语句,但仍然不起作用:/ "Statement": [ { "Action": [ "ec2:Create*", "ec2:Describe*", "ec2:AuthorizeSecurityGroup*", "ec2:RunInstances", "ec2:ModifyVolume" ], "Resource": "*", "Effect": "Allow", "Sid": "ReadCreateOnly" }, 也许某些服务或某种不允许我从不同所有者的 AMI 运行 ec2 的服务?
【解决方案2】:

根据解码的消息,在组织级别强制执行了 SCP explicitDeny":true,"matchedStatements":{"items":[{"statementId":"**AllowLaunchOnlyFromApprovedImages**","effect":"DENY,并且是您拒绝的原因。

【讨论】:

    猜你喜欢
    • 1970-01-01
    • 1970-01-01
    • 2013-12-02
    • 2021-11-21
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    • 2012-02-25
    • 1970-01-01
    相关资源
    最近更新 更多
    热门标签
    Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode