服务器 Gind.cn
  1. 服务器 Gind.cn
  3. AWS EC2 IAM用户策略错误
Intereting Posts
Inode使用率上升到100%,因此无法卸载任何软件包 放置DNSlogging和子域名的最佳做法 networking上的多台计算机如何被恶意redirect? 从我们的服务器电子邮件标记为垃圾由Hotmail Smartscreen无法通知Hotmail,这是合法的 nginx如何重写除指定扩展名以外的所有url? 生产环境共享用户 通过SSH使用NMAP 如何使用monit来确保只有一个进程实例正在运行 什么会导致SSH连接失败,当使用`ssh:// user @ hostname`forms,但成功与裸`user @ hostname`? 为什么Apache上的每个Python应用程序都需要新的进程,而PHP应用程序却不需要? 为什么lsblk,gdisk和parted报告的大小有差异 尝试从使用Powershell将计算机添加到AD中来检索错误 使用nginx与Apache作为反向代理 安装gitolite而不需要公钥? Outlooklockingnetworking连接/会话?

AWS EC2 IAM用户策略错误

我正在尝试创build一个用户策略,允许特定的用户访问特定VPC中的以下权限:创build实例启动实例停止实例终止实例

我在IAM中创build并testing了这个策略,它根据策略模拟器工作,但是当我应用它时,用户不能启动一个实例。 我附上了下面的政策和错误消息。

我似乎缺less一些权限,但不知道什么,因为这使用策略模拟器成功运行。 

{ "Version": "2012-10-17", "Statement": [ { "Sid": "NonResourceBasedReadOnlyPermissions", "Action": [ "ec2:Describe*", "ec2:CreateKeyPair", "ec2:CreateSecurityGroup", "iam:GetInstanceProfile", "iam:ListInstanceProfiles", "aws-marketplace:viewSubscriptions", "aws-marketplace:Subscribe" ], "Effect": "Allow", "Resource": "*" }, { "Sid": "IAMPassRoleToInstance", "Action": [ "iam:PassRole" ], "Effect": "Allow", "Resource": "arn:aws:iam::5555555555555:role/vpc-user" }, { "Sid": "AllowInstanceActions", "Effect": "Allow", "Action": [ "ec2:RebootInstances", "ec2:StopInstances", "ec2:TerminateInstances", "ec2:StartInstances", "ec2:AttachVolume", "ec2:DetachVolume" ], "Resource": "arn:aws:ec2:us-east-1e:5555555555555:instance/*", "Condition": { "StringEquals": { "ec2:InstanceProfile": "arn:aws:iam::5555555555555:instance-profile/vpc-user" } } }, { "Sid": "EC2RunInstances", "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": "arn:aws:ec2:us-east-1e:5555555555555:instance/*", "Condition": { "StringEquals": { "ec2:InstanceProfile": "arn:aws:iam::5555555555555:instance-profile/vpc-user" } } }, { "Sid": "EC2RunInstancesSubnet", "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": "arn:aws:ec2:us-east-1e:5555555555555:subnet/*", "Condition": { "StringEquals": { "ec2:vpc": "arn:aws:ec2:us-east-1e:5555555555555:vpc/vpc-1234abcd1" } } }, { "Sid": "RemainingRunInstancePermissions", "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:us-east-1e:5555555555555:volume/*", "arn:aws:ec2:us-east-1e::image/*", "arn:aws:ec2:us-east-1e::snapshot/*", "arn:aws:ec2:us-east-1e:5555555555555:network-interface/*", "arn:aws:ec2:us-east-1e:5555555555555:key-pair/*", "arn:aws:ec2:us-east-1e:5555555555555:security-group/*" ] }, { "Sid": "EC2VpcNonresourceSpecificActions", "Effect": "Allow", "Action": [ "ec2:DeleteNetworkAcl", "ec2:DeleteNetworkAclEntry", "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:RevokeSecurityGroupEgress", "ec2:RevokeSecurityGroupIngress", "ec2:DeleteSecurityGroup" ], "Resource": "*", "Condition": { "StringEquals": { "ec2:vpc": "arn:aws:ec2:us-east-1e:5555555555555:vpc/vpc-1234abcd1" } } } ] }

这里是错误信息(使用awscli解码) 

 {"allowed":false,"explicitDeny":false,"matchedStatements":{"items":},"context":{"principal":{"id":"REDACTED","name":"USER.REDACTED","arn":"arn:aws:iam::5555555555555:user/USER.REDACTED"},"action":"ec2:RunInstances","resource":"arn:aws:ec2:us-east-1:5555555555555:instance/*","conditions":{"items":[{"key":"ec2:Tenancy","values":{"items":}},{"key":"ec2:AvailabilityZone","values":{"items":}},{"key":"ec2:Region","values":{"items":}},{"key":"ec2:ebsOptimized","values":{"items":}},{"key":"ec2:InstanceType","values":{"items":}},{"key":"ec2:RootDeviceType","values":{"items":}}}" }