如何允许用户仅在允许的子网中创建 ec2 实例？答案

【问题标题】：How can I allow users to only create ec2 instances in a permitted subnet?如何允许用户仅在允许的子网中创建 ec2 实例？
【发布时间】：2020-07-25 22:26:21
【问题描述】：

我想让用户只在允许的子网中运行/停止 ec2 实例，但是下面的代码不起作用：

{
    "Effect": "Allow",
    "Action": [
        "ec2:RunInstances",
        "ec2:TerminateInstances",
        "ec2:StopInstances",
        "ec2:StartInstances",
        "ec2:RunScheduledInstances",
        "ec2:UnmonitorInstances"
    ],
    "Resource": [
        "*"
    ],
    "Condition": {
        "ForAnyValue:ArnEquals": {
            "ec2:Subnet": [
                "arn:aws:ec2:*:*:subnet/subnet-*******",
                "arn:aws:ec2:*:*:subnet/subnet-*******",
                "arn:aws:ec2:*:*:subnet/subnet-*******"
            ]
        }
    }
}

【问题讨论】：

请分享代码返回哪种错误

标签： amazon-web-services amazon-ec2 amazon-iam amazon-vpc subnet

【解决方案1】：

此策略将允许用户仅以编程方式和通过控制台在特定子网中运行 EC2 实例：

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                    "ec2:RunInstances",
                    "ec2:TerminateInstances",
                    "ec2:StopInstances",
                    "ec2:StartInstances",
                    "ec2:RunScheduledInstances",
                    "ec2:UnmonitorInstances"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:subnet/subnet-******",
                "arn:aws:ec2:*:*:network-interface/*",
                "arn:aws:ec2:*:*:instance/*",
                "arn:aws:ec2:*:*:volume/*",
                "arn:aws:ec2:*::image/ami-*",
                "arn:aws:ec2:*:*:key-pair/*",
                "arn:aws:ec2:*:*:security-group/*"
            ]
        }
    ]
}

Adapted from this example

【讨论】：