在ec2中强制标记

提问者：小点点

创建了一个IAM策略，该策略应该限制用户现在允许在标签值不满足时创建ec2实例

{"版本"："2012-10-17"，"声明": [ { "Sid"："AllowTodescription beAll"，"效果"："允许"，"操作"：["ec2：描述*" ], "资源": "" }, { "Sid"："AllowRunInstance"，"效果"："允许"，"操作"："ec2： Run实例"，"资源"：["arn： aws：ec2::： Image/"，"arn： aws：ec2::： snapshot/"，"arn： aws：ec2::： subnet/"，"arn： aws：ec2::： network-接口/"，"arn： aws：ec2::： security-group/"，"arn： aws：ec2::： key对/" ] }, { "Sid"："AllowRunInstancesAnd Re限制"，"效果"："允许"，"操作"：["ec2： CreateVolume"，"ec2： RunInstance"]，"资源"：["arn： aws：ec2::：卷/"，"arn： aws：ec2::：实例/" ], "条件"：{"StringEquals"：{"aws：请求标记/关闭"："true"，"aws：请求标记/终止"："true"}，"ForAllVales： StringEquals"：{"aws： TagKeys"：["关闭"，"终止" ] } } }, { "Sid"："AllowCreateTagsOnly启动"，"效果"："允许"，"操作"：["ec2： CreateTags"]，"资源"：["arn： aws：ec2::：卷/"，"arn： aws：ec2::：实例/*" ], "条件"：{"StringEquals"：{"ec2： CreateAction"："运行实例" } } } ] }

共2个答案

匿名用户

请与策略模拟器联系，网址为https://policysim.aws.amazon.com/home/index.jsp?#

通过以下策略，我可以确认它的工作原理：

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowToDescribeAll",
            "Effect": "Allow",
            "Action": [
                "ec2:Describe*"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowRunInstances",
            "Effect": "Allow",
            "Action": "ec2:RunInstances",
            "Resource": [
                "arn:aws:ec2:*::image/*",
                "arn:aws:ec2:*::snapshot/*",
                "arn:aws:ec2:*:*:subnet/*",
                "arn:aws:ec2:*:*:network-interface/*",
                "arn:aws:ec2:*:*:security-group/*",
                "arn:aws:ec2:*:*:key-pair/*"
            ]
        },
        {
            "Sid": "AllowRunInstancesWithRestrictions",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateVolume",
                "ec2:RunInstances"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:volume/*",
                "arn:aws:ec2:*:*:instance/*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:RequestTag/terminate": "true",
                    "aws:RequestTag/shutdown": "true"
                },
                "ForAllValues:StringEquals": {
                    "aws:TagKeys": [
                        "terminate",
                        "shutdown"
                    ]
                }
            }
        },
        {
            "Sid": "AllowCreateTagsOnlyLaunching",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateTags"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:volume/*",
                "arn:aws:ec2:*:*:instance/*"
            ],
            "Condition": {
                "StringEquals": {
                    "ec2:CreateAction": "RunInstances"
                }
            }
        }
    ]
}

匿名用户

你可以用这样的东西

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "ec2:*",
            "Resource": "*",
            "Condition": {
                "ForAllValues:StringEquals": {
                    "aws:TagKeys": [
                        "Application",
                        "Environment"
                    ]
                },
                "StringEqualsIfExists": {
                    "aws:RequestTag/Application": [
                        "app-01",
                        "app-02"
                    ],
                    "aws:RequestTag/Environment": [
                        "development",
                        "production"
                    ]
                }
            }
        }
    ]
}