我们正在努力创建一个允许所有 EC2 操作(RunInstances 除外)的 IAM 策略。这是为了防止 API 密钥泄露而启动未经授权的实例。我们尝试了带和不带 EC2 允许 * 的情况,因为我不清楚 NotAction 是否暗示了所有操作。
使用 NotAction 后,我无法配置 EBS 卷(如下)。我们是否需要将 EC2 允许 * 和 Notaction Runinstances 融合到同一个策略部分中?
EC2 所有权限:
“操作”:“ec2:", "效果": "允许", "资源": "“,
然后是第二条拒绝 RunInstances 的策略(来自先前关于类似主题的 IAM 政策答案
{ “语句”:[ { “NotAction”:[ “ec2:RunInstances*” ],“效果”:“拒绝”, “资源”:“*” } ] }
ec2-54-196-184-11.compute-1.amazonaws.com * aws_ebs_volume[ip-10-140-10-132.volume15] 操作创建
ec2-54-196-184-11.compute-1.amazonaws.com [2014-06-26T18:17:53+00:00] 警告:##### RightAws::Ec2 返回错误:403 禁止访问
ec2-54-196-184-11.compute-1.amazonaws.com
ec2-54-196-184-11.compute-1.amazonaws.comUnauthorizedOperation
您无权执行此操作。fcd71112-db50-4102-9855-a46749574de9 #####
ec2-54-196-184-11.compute-1.amazonaws.com [2014-06-26T18:17:53+00:00] 警告:##### RightAws::Ec2 请求:https://us-east-1.ec2.amazonaws.com:443/?AWSAccessKeyId=XXXXXXXXXXXXXXXXXXX&Action=DescribeVolumes&SignatureMethod=HmacSHA256&SignatureVersion=2&Timestamp=2014-06-26T18%3A17%3A53.000Z&Version=2012-06-15&Signature=cRMAxfs3RP0R9rlQeb7JU9zYeey8L3CWQI2Pkj2o3V0%3D####
ec2-54-196-184-11.compute-1.amazonaws.com
ec2-54-196-184-11.compute-1.amazonaws.com ================================================================================
ec2-54-196-184-11.compute-1.amazonaws.comcreate
对资源“aws_ebs_volume[ip-10-140-10-132.volume15]”执行操作时出错
ec2-54-196-184-11.compute-1.amazonaws.com ================================================================================
ec2-54-196-184-11.compute-1.amazonaws.com
ec2-54-196-184-11.compute-1.amazonaws.com
ec2-54-196-184-11.compute-1.amazonaws.com RightAws::AwsError
ec2-54-196-184-11.compute-1.amazonaws.com ------------------
ec2-54-196-184-11.compute-1.amazonaws.com UnauthorizedOperation:您无权执行此操作。
ec2-54-196-184-11.compute-1.amazonaws.com
ec2-54-196-184-11.compute-1.amazonaws.com
ec2-54-196-184-11.compute-1.amazonaws.com 食谱跟踪:
ec2-54-196-184-11.compute-1.amazonaws.com ---------------
ec2-54-196-184-11.compute-1.amazonaws.com /var/chef/cache/cookbooks/aws/providers/ebs_volume.rb:138:in`currently_attached_volume'
ec2-54-196-184-11.compute-1.amazonaws.com /var/chef/cache/cookbooks/aws/providers/ebs_volume.rb:26:in `class_from_file 中的块'
ec2-54-196-184-11.compute-1.amazonaws.com
ec2-54-196-184-11.compute-1.amazonaws.com
ec2-54-196-184-11.compute-1.amazonaws.com 资源声明:
ec2-54-196-184-11.compute-1.amazonaws.com ---------------------
ec2-54-196-184-11.compute-1.amazonaws.com # 在 /var/chef/cache/cookbooks/cook_aws/recipes/ebs.rb 中
ec2-54-196-184-11.compute-1.amazonaws.com
ec2-54-196-184-11.compute-1.amazonaws.com 26:aws_ebs_volume 节点['w2o']['ebs']['volume_name'] 执行
ec2-54-196-184-11.compute-1.amazonaws.com 27:操作[:创建,:附加]
ec2-54-196-184-11.compute-1.amazonaws.com 28:aws_access_key 节点['aws']['access_key_id']
ec2-54-196-184-11.compute-1.amazonaws.com 29:aws_secret_access_key 节点['aws']['secret_access_key']
ec2-54-196-184-11.compute-1.amazonaws.com 30:设备节点['w2o']['ebs']['ebs_device']
ec2-54-196-184-11.compute-1.amazonaws.com 31:大小节点['w2o']['ebs']['ebs_mount_size']
ec2-54-196-184-11.计算-1.amazonaws.com 32:
ec2-54-196-184-11.compute-1.amazonaws.com 33:# 如果节点属性中存在 piops,则指定它
ec2-54-196-184-11.compute-1.amazonaws.com 34:如果节点['w2o']['ebs']['ebs_piops'] > 0
ec2-54-196-184-11.compute-1.amazonaws.com 35:piops 节点['w2o']['ebs']['ebs_piops']
ec2-54-196-184-11.compute-1.amazonaws.com 36:volume_type'io1'
ec2-54-196-184-11.compute-1.amazonaws.com 37:结束
ec2-54-196-184-11.计算-1.amazonaws.com 38:
ec2-54-196-184-11.compute-1.amazonaws.com
ec2-54-196-184-11.compute-1.amazonaws.com
ec2-54-196-184-11.compute-1.amazonaws.com
ec2-54-196-184-11.compute-1.amazonaws.com 编译资源:
ec2-54-196-184-11.compute-1.amazonaws.com ------------------
ec2-54-196-184-11.compute-1.amazonaws.com # 在 /var/chef/cache/cookbooks/cook_aws/recipes/ebs.rb:26:in `from_file' 中声明
ec2-54-196-184-11.compute-1.amazonaws.com
ec2-54-196-184-11.compute-1.amazonaws.com aws_ebs_volume(“ip-10-140-10-132.volume15”) 执行
ec2-54-196-184-11.compute-1.amazonaws.com 操作 [:create, :attach]
ec2-54-196-184-11.compute-1.amazonaws.com 重试 0
ec2-54-196-184-11.compute-1.amazonaws.com retry_delay 2
ec2-54-196-184-11.compute-1.amazonaws.com cookbook_name“cook_aws”
ec2-54-196-184-11.compute-1.amazonaws.com recipe_name“ebs”
ec2-54-196-184-11.compute-1.amazonaws.com aws_access_key“XXXXXXXXXXXXXXXXXXXXX”
ec2-54-196-184-11.compute-1.amazonaws.com aws_secret_access_key“XXXXXXXXXXXXXXXXXXXXX”
ec2-54-196-184-11.compute-1.amazonaws.com 设备“/dev/xvdf”
ec2-54-196-184-11.compute-1.amazonaws.com 大小 50
ec2-54-196-184-11.compute-1.amazonaws.com 结束
ec2-54-196-184-11.compute-1.amazonaws.com
ec2-54-196-184-11.compute-1.amazonaws.com
ec2-54-196-184-11.compute-1.amazonaws.com
ec2-54-196-184-11.compute-1.amazonaws.com [2014-06-26T18:17:53+00:00] 错误:运行异常处理程序
ec2-54-196-184-11.compute-1.amazonaws.com [2014-06-26T18:17:53+00:00] 错误:异常处理程序完成
ec2-54-196-184-11.compute-1.amazonaws.com [2014-06-26T18:17:53+00:00] 严重:堆栈跟踪已转储至 /var/chef/cache/chef-stacktrace.out ec2-54-196-184-11.compute-1.amazonaws.com Chef Client 失败。已更新 2 个资源
ec2-54-196-184-11.compute-1.amazonaws.com [2014-06-26T18:17:54+00:00] 严重:Chef::Exceptions::ChildConvergeError:Chef 运行进程退出失败(退出代码 1)
答案1
花费一个小时使用试用帐户和 IAM 模拟器来获得:
{
"Version": "2012-10-17",
"Statement": [
{
"NotAction": [
"ec2:RunInstances*"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "elasticloadbalancing:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "cloudwatch:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "autoscaling:*",
"Resource": "*"
}
]
}
如果这对某人有用,你可以把你想要的任何操作放在 NotAction 下