AWS IAM 策略问题:无法允许除 RunInstances 之外的所有实例

AWS IAM 策略问题:无法允许除 RunInstances 之外的所有实例

我们正在努力创建一个允许所有 EC2 操作(RunInstances 除外)的 IAM 策略。这是为了防止 API 密钥泄露而启动未经授权的实例。我们尝试了带和不带 EC2 允许 * 的情况,因为我不清楚 NotAction 是否暗示了所有操作。

使用 NotAction 后,我无法配置 EBS 卷(如下)。我们是否需要将 EC2 允许 * 和 Notaction Runinstances 融合到同一个策略部分中?

EC2 所有权限:

“操作”:“ec2:", "效果": "允许", "资源": "“,

然后是第二条拒绝 RunInstances 的策略(来自先前关于类似主题的 IAM 政策答案

{ “语句”:[ { “NotAction”:[ “ec2:RunInstances*” ],“效果”:“拒绝”, “资源”:“*” } ] }

ec2-54-196-184-11.compute-1.amazonaws.com * aws_ebs_volume[ip-10-140-10-132.volume15] 操作创建

ec2-54-196-184-11.compute-1.amazonaws.com [2014-06-26T18:17:53+00:00] 警告:##### RightAws::Ec2 返回错误:403 禁止访问

ec2-54-196-184-11.compute-1.amazonaws.com

ec2-54-196-184-11.compute-1.amazonaws.comUnauthorizedOperation您无权执行此操作。fcd71112-db50-4102-9855-a46749574de9 #####

ec2-54-196-184-11.compute-1.amazonaws.com [2014-06-26T18:17:53+00:00] 警告:##### RightAws::Ec2 请求:https://us-east-1.ec2.amazonaws.com:443/?AWSAccessKeyId=XXXXXXXXXXXXXXXXXXX&Action=DescribeVolumes&SignatureMethod=HmacSHA256&SignatureVersion=2&Timestamp=2014-06-26T18%3A17%3A53.000Z&Version=2012-06-15&Signature=cRMAxfs3RP0R9rlQeb7JU9zYeey8L3CWQI2Pkj2o3V0%3D####

ec2-54-196-184-11.compute-1.amazonaws.com

ec2-54-196-184-11.compute-1.amazonaws.com ================================================================================

ec2-54-196-184-11.compute-1.amazonaws.comcreate对资源“aws_ebs_volume[ip-10-140-10-132.volume15]”执行操作时出错

ec2-54-196-184-11.compute-1.amazonaws.com ================================================================================

ec2-54-196-184-11.compute-1.amazonaws.com

ec2-54-196-184-11.compute-1.amazonaws.com

ec2-54-196-184-11.compute-1.amazonaws.com RightAws::AwsError

ec2-54-196-184-11.compute-1.amazonaws.com ------------------

ec2-54-196-184-11.compute-1.amazonaws.com UnauthorizedOperation:您无权执行此操作。

ec2-54-196-184-11.compute-1.amazonaws.com

ec2-54-196-184-11.compute-1.amazonaws.com

ec2-54-196-184-11.compute-1.amazonaws.com 食谱跟踪:

ec2-54-196-184-11.compute-1.amazonaws.com ---------------

ec2-54-196-184-11.compute-1.amazonaws.com /var/chef/cache/cookbooks/aws/providers/ebs_volume.rb:138:in`currently_attached_volume'

ec2-54-196-184-11.compute-1.amazonaws.com /var/chef/cache/cookbooks/aws/providers/ebs_volume.rb:26:in `class_from_file 中的块'

ec2-54-196-184-11.compute-1.amazonaws.com

ec2-54-196-184-11.compute-1.amazonaws.com

ec2-54-196-184-11.compute-1.amazonaws.com 资源声明:

ec2-54-196-184-11.compute-1.amazonaws.com ---------------------

ec2-54-196-184-11.compute-1.amazonaws.com # 在 /var/chef/cache/cookbooks/cook_aws/recipes/ebs.rb 中

ec2-54-196-184-11.compute-1.amazonaws.com

ec2-54-196-184-11.compute-1.amazonaws.com 26:aws_ebs_volume 节点['w2o']['ebs']['volume_name'] 执行

ec2-54-196-184-11.compute-1.amazonaws.com 27:操作[:创建,:附加]

ec2-54-196-184-11.compute-1.amazonaws.com 28:aws_access_key 节点['aws']['access_key_id']

ec2-54-196-184-11.compute-1.amazonaws.com 29:aws_secret_access_key 节点['aws']['secret_access_key']

ec2-54-196-184-11.compute-1.amazonaws.com 30:设备节点['w2o']['ebs']['ebs_device']

ec2-54-196-184-11.compute-1.amazonaws.com 31:大小节点['w2o']['ebs']['ebs_mount_size']

ec2-54-196-184-11.计算-1.amazonaws.com 32:

ec2-54-196-184-11.compute-1.amazonaws.com 33:# 如果节点属性中存在 piops,则指定它

ec2-54-196-184-11.compute-1.amazonaws.com 34:如果节点['w2o']['ebs']['ebs_piops'] > 0

ec2-54-196-184-11.compute-1.amazonaws.com 35:piops 节点['w2o']['ebs']['ebs_piops']

ec2-54-196-184-11.compute-1.amazonaws.com 36:volume_type'io1'

ec2-54-196-184-11.compute-1.amazonaws.com 37:结束

ec2-54-196-184-11.计算-1.amazonaws.com 38:

ec2-54-196-184-11.compute-1.amazonaws.com

ec2-54-196-184-11.compute-1.amazonaws.com

ec2-54-196-184-11.compute-1.amazonaws.com

ec2-54-196-184-11.compute-1.amazonaws.com 编译资源:

ec2-54-196-184-11.compute-1.amazonaws.com ------------------

ec2-54-196-184-11.compute-1.amazonaws.com # 在 /var/chef/cache/cookbooks/cook_aws/recipes/ebs.rb:26:in `from_file' 中声明

ec2-54-196-184-11.compute-1.amazonaws.com

ec2-54-196-184-11.compute-1.amazonaws.com aws_ebs_volume(“ip-10-140-10-132.volume15”) 执行

ec2-54-196-184-11.compute-1.amazonaws.com 操作 [:create, :attach]

ec2-54-196-184-11.compute-1.amazonaws.com 重试 0

ec2-54-196-184-11.compute-1.amazonaws.com retry_delay 2

ec2-54-196-184-11.compute-1.amazonaws.com cookbook_name“cook_aws”

ec2-54-196-184-11.compute-1.amazonaws.com recipe_name“ebs”

ec2-54-196-184-11.compute-1.amazonaws.com aws_access_key“XXXXXXXXXXXXXXXXXXXXX”

ec2-54-196-184-11.compute-1.amazonaws.com aws_secret_access_key“XXXXXXXXXXXXXXXXXXXXX”

ec2-54-196-184-11.compute-1.amazonaws.com 设备“/dev/xvdf”

ec2-54-196-184-11.compute-1.amazonaws.com 大小 50

ec2-54-196-184-11.compute-1.amazonaws.com 结束

ec2-54-196-184-11.compute-1.amazonaws.com

ec2-54-196-184-11.compute-1.amazonaws.com

ec2-54-196-184-11.compute-1.amazonaws.com

ec2-54-196-184-11.compute-1.amazonaws.com [2014-06-26T18:17:53+00:00] 错误:运行异常处理程序

ec2-54-196-184-11.compute-1.amazonaws.com [2014-06-26T18:17:53+00:00] 错误:异常处理程序完成

ec2-54-196-184-11.compute-1.amazonaws.com [2014-06-26T18:17:53+00:00] 严重:堆栈跟踪已转储至 /var/chef/cache/chef-stacktrace.out ec2-54-196-184-11.compute-1.amazonaws.com Chef Client 失败。已更新 2 个资源

ec2-54-196-184-11.compute-1.amazonaws.com [2014-06-26T18:17:54+00:00] 严重:Chef::Exceptions::ChildConvergeError:Chef 运行进程退出失败(退出代码 1)

答案1

花费一个小时使用试用帐户和 IAM 模拟器来获得:

{
"Version": "2012-10-17",
"Statement": [
    {
        "NotAction": [
            "ec2:RunInstances*"
        ],
        "Effect": "Allow",
        "Resource": "*"
    },
    {
        "Effect": "Allow",
        "Action": "elasticloadbalancing:*",
        "Resource": "*"
    },
    {
        "Effect": "Allow",
        "Action": "cloudwatch:*",
        "Resource": "*"
    },
    {
        "Effect": "Allow",
        "Action": "autoscaling:*",
        "Resource": "*"
    }
]

}

如果这对某人有用,你可以把你想要的任何操作放在 NotAction 下

相关内容