我的账户中有两个 VPC。一个用于开发,一个用于生产。我想创建一个 IAM 用户,该用户应该只能在控制台中看到开发 EC2 实例,并且应该能够创建或重新启动实例。他不应该能够看到生产 EC2 实例。我尝试使用以下策略,但出现错误,因为
"An error occurred fetching address data: You are not authorized to perform this operation."
我的 IAM 策略...
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:Describe*",
"ec2:RebootInstances",
"ec2:RunInstances",
"ec2:CreateTags"
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:Region:VPC": "us-west-2:vpc/vpc-00000000"
}
}
}
]
}
我可以使用下面的策略来做一些事情。但无法应用标签。问题是,当我插入下面的规则时,用户不应该能够重命名 PRODUCTION VPC 中的任何其他标签,然后用户也可以更改其他 VPC 实例的标签...
{
"Effect": "Allow",
"Action": "ec2:CreateTags",
"Resource": [
"*"
]
}
这是我当前的规则,可以读取其他 VPC 实例,但只能读取。我对此很满意。但我无法创建带有标签的实例...
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "NonResourceBasedReadOnlyPermissions",
"Action": [
"ec2:Describe*",
"ec2:CreateKeyPair",
"ec2:CreateSecurityGroup",
"iam:GetInstanceProfiles",
"iam:ListInstanceProfiles"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "IAMPassRoleToInstance",
"Action": [
"iam:PassRole"
],
"Effect": "Allow",
"Resource": "arn:aws:iam::818755641843:role/EC2LaunchVansDEV"
},
{
"Sid": "AllowInstanceActions",
"Effect": "Allow",
"Action": [
"ec2:RebootInstances",
"ec2:RunInstances",
"ec2:StartInstances",
"ec2:AttachVolume",
"ec2:DetachVolume",
"ec2:CreateTags"
],
"Resource": "arn:aws:ec2:us-west-2:818755641843:instance/*",
"Condition": {
"StringEquals": {
"ec2:InstanceProfile": "arn:aws:iam::818755641843:instance-profile/EC2LaunchVansDEV"
}
}
},
{
"Sid": "EC2RunInstances",
"Effect": "Allow",
"Action": [
"ec2:RunInstances",
"ec2:CreateTags"
],
"Resource": "arn:aws:ec2:us-west-2:818755641843:instance/*",
"Condition": {
"StringEquals": {
"ec2:InstanceProfile": "arn:aws:iam::818755641843:instance-profile/EC2LaunchVansDEV"
}
}
},
{
"Sid": "EC2RunInstancesSubnet",
"Effect": "Allow",
"Action": [
"ec2:RunInstances",
"ec2:CreateTags"
],
"Resource": "arn:aws:ec2:us-west-2:818755641843:subnet/*",
"Condition": {
"StringEquals": {
"ec2:vpc": "arn:aws:ec2:us-west-2:818755641843:vpc/vpc-5b0f3c3f"
}
}
},
{
"Sid": "RemainingRunInstancePermissions",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:us-west-2:818755641843:volume/*",
"arn:aws:ec2:us-west-2::image/*",
"arn:aws:ec2:us-west-2::snapshot/*",
"arn:aws:ec2:us-west-2:818755641843:network-interface/*",
"arn:aws:ec2:us-west-2:818755641843:key-pair/*",
"arn:aws:ec2:us-west-2:818755641843:security-group/*"
]
},
{
"Sid": "EC2VpcNonresourceSpecificActions",
"Effect": "Allow",
"Action": [
"ec2:DeleteNetworkAcl",
"ec2:DeleteNetworkAclEntry",
"ec2:DeleteRoute",
"ec2:DeleteRouteTable",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:DeleteSecurityGroup",
"ec2:CreateTags"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:vpc": "arn:aws:ec2:us-west-2:818755641843:vpc/vpc-5b0f3c3f"
}
}
}
]
}
答案1
该DescribeInstances操作不能受条件限制ec2:Vpc。事实上,它是一组不允许资源级别权限的 API 操作的一部分,请参阅此处的完整列表:
我相信最好的选择是分成多个帐户并在那里进行分离。
也可以看看:
答案2
目前,如果不使用标签等额外技巧,这是不可能的,因为这些操作不支持VPC 条件:
RebootInstances
StartInstances
StopInstances
TerminateInstances
但是它们都支持有条件的区域,因此您可能需要将开发环境移动到特定区域。