AWS EC2 IAM 用户策略错误

AWS EC2 IAM 用户策略错误

我正在尝试创建一个用户策略,允许特定用户在特定 VPC 中仅访问以下权限:创建实例、启动实例、停止实例、终止实例

我在 IAM 中创建并测试了该策略,它按照策略模拟器运行,但是当我应用它时,用户无法启动实例。我已将策略和错误消息附加在下面。

我似乎缺少一些权限,但不确定是什么,因为使用策略模拟器时它可以成功运行。

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "NonResourceBasedReadOnlyPermissions",
"Action": [
"ec2:Describe*",
"ec2:CreateKeyPair",
"ec2:CreateSecurityGroup",
"iam:GetInstanceProfile",
"iam:ListInstanceProfiles",
"aws-marketplace:viewSubscriptions",
"aws-marketplace:Subscribe"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "IAMPassRoleToInstance",
"Action": [
"iam:PassRole"
],
"Effect": "Allow",
"Resource": "arn:aws:iam::5555555555555:role/vpc-user"
},
{
"Sid": "AllowInstanceActions",
"Effect": "Allow",
"Action": [
"ec2:RebootInstances",
"ec2:StopInstances",
"ec2:TerminateInstances",
"ec2:StartInstances",
"ec2:AttachVolume",
"ec2:DetachVolume"
],
"Resource": "arn:aws:ec2:us-east-1e:5555555555555:instance/*",
"Condition": {
"StringEquals": {
"ec2:InstanceProfile": "arn:aws:iam::5555555555555:instance-profile/vpc-user"
}
}
},
{
"Sid": "EC2RunInstances",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:us-east-1e:5555555555555:instance/*",
"Condition": {
"StringEquals": {
"ec2:InstanceProfile": "arn:aws:iam::5555555555555:instance-profile/vpc-user"
}
}
},
{
"Sid": "EC2RunInstancesSubnet",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:us-east-1e:5555555555555:subnet/*",
"Condition": {
"StringEquals": {
"ec2:vpc": "arn:aws:ec2:us-east-1e:5555555555555:vpc/vpc-1234abcd1"
}
}
},
{
"Sid": "RemainingRunInstancePermissions",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:us-east-1e:5555555555555:volume/*",
"arn:aws:ec2:us-east-1e::image/*",
"arn:aws:ec2:us-east-1e::snapshot/*",
"arn:aws:ec2:us-east-1e:5555555555555:network-interface/*",
"arn:aws:ec2:us-east-1e:5555555555555:key-pair/*",
"arn:aws:ec2:us-east-1e:5555555555555:security-group/*"
]
},
{
"Sid": "EC2VpcNonresourceSpecificActions",
"Effect": "Allow",
"Action": [
"ec2:DeleteNetworkAcl",
"ec2:DeleteNetworkAclEntry",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:DeleteSecurityGroup"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:vpc": "arn:aws:ec2:us-east-1e:5555555555555:vpc/vpc-1234abcd1"
}
}
}
]
}

这是错误消息(使用 awscli 解码)

{"allowed":false,"explicitDeny":false,"matchedStatements":{"items":},"context":{"principal":{"id":"REDACTED","name":"USER.REDACTED","arn":"arn:aws:iam::5555555555555:user/USER.REDACTED"},"action":"ec2:RunInstances","resource":"arn:aws:ec2:us-east-1:5555555555555:instance/*","conditions":{"items":[{"key":"ec2:Tenancy","values":{"items":}},{"key":"ec2:AvailabilityZone","values":{"items":}},{"key":"ec2:Region","values":{"items":}},{"key":"ec2:ebsOptimized","values":{"items":}},{"key":"ec2:InstanceType","values":{"items":}},{"key":"ec2:RootDeviceType","values":{"items":}}}"
}

相关内容