【问题标题】：How to limit EC2 EBS volume size for ec2:RunInstances in IAM policy?如何在 IAM 策略中限制 ec2:RunInstances 的 EC2 EBS 卷大小？
【发布时间】：2018-08-12 18:24:41
【问题描述】：

我现在拥有的 IAM 策略能够限制实例类型，但我还希望能够将 EBS 卷大小限制在某个值以下。我将如何修改以下 JSON IAM 策略？最好我想要一些类似于“条件”的东西：“IntegerLessThanOrEquals”，但是手动指定每个数字是可以接受的，因为我需要将其限制为 10 GiB。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AdminPermissions",
            "Effect": "Allow",
            "Action": [
                "ssm:SendCommand",
                "ssm:GetCommandInvocation",
                "ec2:StopInstances",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeNetworkInterfaces",
                "ec2:CreateTags"
            ],
            "Resource": "*"
        },
        {
            "Sid": "RunInstanceResourcePermissions",
            "Effect": "Allow",
            "Action": [
                "ec2:RunInstances"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:network-interface/*",
                "arn:aws:ec2:*:*:security-group/*",
                "arn:aws:ec2:*:*:subnet/*",
                "arn:aws:ec2:*:*:volume/*",
                "arn:aws:ec2:*::image/*"
            ]
        },
        {
            "Sid": "LimitInstanceTypes",
            "Effect": "Allow",
            "Action": [
                "ec2:RunInstances"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:instance/*"
            ],
            "Condition": {
                "StringEquals": {
                    "ec2:InstanceType": [
                        "t2.nano",
                        "t2.micro",
                        "t2.small",
                        "t2.medium"
                    ]
                }
            }
        }
    ]
}

编辑：回答

这是我得到的解决方案。语句“LimitInstanceVolumeSize”是新的，资源“arn:aws:ec2:::volume/*”被移到它上面。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AdminPermissions",
            "Effect": "Allow",
            "Action": [
                "ssm:SendCommand",
                "ssm:GetCommandInvocation",
                "ec2:StopInstances",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeNetworkInterfaces",
                "ec2:CreateTags"
            ],
            "Resource": "*"
        },
        {
            "Sid": "RunInstanceResourcePermissions",
            "Effect": "Allow",
            "Action": [
                "ec2:RunInstances"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:network-interface/*",
                "arn:aws:ec2:*:*:security-group/*",
                "arn:aws:ec2:*:*:subnet/*",
                "arn:aws:ec2:*::image/*"
            ]
        },
        {
            "Sid": "LimitInstanceVolumeSize",
            "Effect": "Allow",
            "Action": [
                "ec2:RunInstances"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:volume/*"
            ],
            "Condition": {
                "NumericLessThanEquals": {
                    "ec2:VolumeSize": "16"
                }
            }
        },
        {
            "Sid": "LimitInstanceTypes",
            "Effect": "Allow",
            "Action": [
                "ec2:RunInstances"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:instance/*"
            ],
            "Condition": {
                "StringEquals": {
                    "ec2:InstanceType": [
                        "t2.nano",
                        "t2.micro",
                        "t2.small",
                        "t2.medium"
                    ]
                }
            }
        }
    ]
}

【问题讨论】：

标签： amazon-web-services amazon-ec2 amazon-iam

【解决方案1】：

您可以通过使用条件键ec2:VolumeSize 来实现此目的，资源将为arn:aws:ec2:region:account:volume/*，API 操作为AttachVolume。

谢谢

【讨论】：