【发布时间】:2019-09-18 12:54:58
【问题描述】:
我正在尝试对人们可以启动的实例类型设置一些限制。我有以下政策
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:us-east-1:123:key-pair/CI",
"arn:aws:ec2:us-east-1:123:instance/*",
"arn:aws:ec2:us-east-1:123:image/ami-*",
"arn:aws:ec2:us-east-1:123:subnet/*",
"arn:aws:ec2:us-east-1:123:network-interface/*",
"arn:aws:ec2:us-east-1:123:volume/*",
"arn:aws:ec2:us-east-1:123:security-group/sg-a363xxxx"
]
},
{
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": [
"*"
],
"Condition": {
"StringNotEquals": {
"ec2:InstanceType": "m4.4xlarge"
}
}
}
]
声明的第一部分工作正常,但我正在尝试添加拒绝部分。
{
"DryRun": true,
"ImageId": "ami-5f709f34",
"KeyName": "FE-CI",
"SecurityGroupIds": [
"sg-a363bada"
],
"UserData": "",
"InstanceType": "m4.4xlarge",
"SubnetId": "subnet-xxxxx",
"EbsOptimized":false}
当添加 Condition 语句时,一切都会被拒绝。这是解码后的授权信息。
{
"DecodedMessage": " {\"allowed\":false,\"explicitDeny\":true,\"matchedStatements\":{\"items\":[{\"statementId\":\"\",\"effect\":\"DENY\",\"principals\":{\"items\":[]},\"principalGroups\":{\"items\":[{\"value\":\"xxx\"}]},\"actions\":{\"items\":[{\"value\":\"ec2:RunInstances\"}]},\"resources\":{\"items\":[{\"value\":\"*\"}]},\"conditions\":{\"items\":[{\"key\":\"ec2:InstanceType\",\"values\":{\"items\":[{\"value\":\"m4.4xlarge\"}]}}]}}]},\"failures\":{\"items\":[]},\"context\":{\"principal\":{\"id\":\"xxx\",\"name\":\"jellin-test\",\"arn\":\"arn:aws:iam::xxx:user/jellin-test\"},\"action\":\"ec2:RunInstances\",\"resource\":\"arn:aws:ec2:us-east-1:xxx:key-pair/FE-CI\",\"conditions\":{\"items\":[{\"key\":\"ec2:Region\",\"values\":{\"items\":[{\"value\":\"us-east-1\"}]}}]}}}"
}
我在这里没有看到任何明显的错误。我的理解是第一个语句应该通过,第二个语句只有在 InstanceType 不是 m4.4xlarge 时才会拒绝
【问题讨论】:
标签: amazon-iam