我有一个具有策略的特定 AWS 组EC2FullAccess
。现在我希望该组的资源(ec2 实例)自动标记为“团队 A”,并且该组只能对标记为“团队 A”的资源使用其完全访问权限。(因此他们无法删除具有不同标签的其他 EC2 实例)。这可能吗?
我目前没有使用 cloudformation 来设置这个组/grole,但将来会将其转换为 cfn。
答案1
AWS Answers 提供答案这里。
这是他们最长的政策。它提供的政策比您需要的更复杂,但应该可以作为一个很好的例子 - 从这里开始制定应该相当简单。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowToDescribeAll",
"Effect": "Allow",
"Action": [
"ec2:Describe*"
],
"Resource": "*"
},
{
"Sid": "AllowRunInstances",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:*::image/*",
"arn:aws:ec2:*::snapshot/*",
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:key-pair/*"
]
},
{
"Sid": "AllowRunInstancesWithRestrictions",
"Effect": "Allow",
"Action": [
"ec2:CreateVolume",
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:instance/*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/key1": "value1",
"aws:RequestTag/key2": "value2"
},
"ForAllValues:StringEquals": {
"aws:TagKeys": [
"key1",
"key2"
]
}
}
},
{
"Sid": "AllowCreateTagsOnlyLaunching",
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": [
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:instance/*"
],
"Condition": {
"StringEquals": {
"ec2:CreateAction": "RunInstances"
}
}
}
]
}