AWS IAM策略问题：无法允许除RunInstances以外的所有其他应用程序

我们正在努力创build一个允许除RunInstances以外的所有EC2操作的IAM策略。 这是为了防止API密钥泄露启动未经授权的实例。 我们尝试了这两种方法，不pipeEC2允许*，因为我不清楚NotAction是否意味着所有的操作。

随着NotAction的到位，我不能提供EBS卷（下）。 我们是否需要将EC2允许*和Notaction实例融合到同一个政策部分？

EC2所有权限：

“行动”：“ec2： ”，“效果”：“允许”，“资源”：“ ”，

• AWS中Web应用程序和Windows服务远程configuration的最佳实践
• 使用AWS和EC2进行PHP错误日志logging
• AWS SSD批量定价和IO请求
• 在一个Windows EC2实例中，需要多less弹性IP才能在IIS中使用SSL来托pipe两个站点
• 自动更新具有私有子网的AWS VPC中的NAT实例和SSH连接

然后是拒绝RunInstances的第二个策略（从以前的IAM策略回答类似的话题

{“声明”：[{“NotAction”：[“ec2：RunInstances *”]，“Effect”：“Deny”，“Resource”：“*”}]}

ec2-54-196-184-11.compute-1.amazonaws.com * aws_ebs_volume [ip-10-140-10-132.volume15]动作创build

ec2-54-196-184-11.compute-1.amazonaws.com [2014-06-26T18：17：53 + 00：00]警告：##### RightAws :: Ec2返回一个错误：403 Forbidden

ec2-54-196-184-11.compute-1.amazonaws.com

ec2-54-196-184-11.compute-1.amazonaws.com UnauthorizedOperation您UnauthorizedOperation执行此操作.fcd71112-db50-4102-9855-a46749574de9 #####

ec2-54-196-184-11.compute-1.amazonaws.com [2014-06-26T18：17：53 + 00：00]警告：##### RightAws :: Ec2请求： https：//我们-east-1.ec2.amazonaws.com:443/?AWSAccessKeyId=XXXXXXXXXXXXXXXXXXX&Action=DescribeVolumes&SignatureMethod=HmacSHA256&SignatureVersion=2&Timestamp=2014-06-26T18%3A17%3A53.000Z&Version=2012-06-15&Signature=cRMAxfs3RP0R9rlQeb7JU9zYeey8L3CWQI2Pkj2o3V0%3D ####

ec2-54-196-184-11.compute-1.amazonaws.com

ec2-54-196-184-11.compute-1.amazonaws.com ================================= ===============================================

ec2-54-196-184-11.compute-1.amazonaws.com错误执行行动create资源'aws_ebs_volume [ip-10-140-10-132.volume15]'

ec2-54-196-184-11.compute-1.amazonaws.com ================================= ===============================================

ec2-54-196-184-11.compute-1.amazonaws.com

ec2-54-196-184-11.compute-1.amazonaws.com

ec2-54-196-184-11.compute-1.amazonaws.com RightAws :: AwsError

ec2-54-196-184-11.compute-1.amazonaws.com ——————

ec2-54-196-184-11.compute-1.amazonaws.com UnauthorizedOperation：您无权执行此操作。

ec2-54-196-184-11.compute-1.amazonaws.com

ec2-54-196-184-11.compute-1.amazonaws.com

ec2-54-196-184-11.compute-1.amazonaws.com食谱跟踪：

ec2-54-196-184-11.compute-1.amazonaws.com —————

ec2-54-196-184-11.compute-1.amazonaws.com /var/chef/cache/cookbooks/aws/providers/ebs_volume.rb:138:in`currently_attached_volume'

ec2-54-196-184-11.compute-1.amazonaws.com /var/chef/cache/cookbooks/aws/providers/ebs_volume.rb:26:in`block in class_from_file'

ec2-54-196-184-11.compute-1.amazonaws.com

ec2-54-196-184-11.compute-1.amazonaws.com

ec2-54-196-184-11.compute-1.amazonaws.com资源声明：

ec2-54-196-184-11.compute-1.amazonaws.com ———————

ec2-54-196-184-11.compute-1.amazonaws.com＃在/var/chef/cache/cookbooks/cook_aws/recipes/ebs.rb

ec2-54-196-184-11.compute-1.amazonaws.com

ec2-54-196-184-11.compute-1.amazonaws.com 26：aws_ebs_volume节点['w2o'] ['ebs'] ['volume_name']

ec2-54-196-184-11.compute-1.amazonaws.com 27：action [：create，：attach]

ec2-54-196-184-11.compute-1.amazonaws.com 28：aws_access_key节点['aws'] ['access_key_id']

ec2-54-196-184-11.compute-1.amazonaws.com 29：aws_secret_access_key节点['aws'] ['secret_access_key']

ec2-54-196-184-11.compute-1.amazonaws.com 30：设备节点['w2o'] ['ebs'] ['ebs_device']

ec2-54-196-184-11.compute-1.amazonaws.com 31：size node ['w2o'] ['ebs'] ['ebs_mount_size']

ec2-54-196-184-11.compute-1.amazonaws.com 32：

ec2-54-196-184-11.compute-1.amazonaws.com 33：＃指定piops如果存在于节点attr

ec2-54-196-184-11.compute-1.amazonaws.com 34：if node ['w2o'] ['ebs'] ['ebs_piops']> 0

ec2-54-196-184-11.compute-1.amazonaws.com 35：piops node ['w2o'] ['ebs'] ['ebs_piops']

ec2-54-196-184-11.compute-1.amazonaws.com 36：volume_type'io1'

ec2-54-196-184-11.compute-1.amazonaws.com 37：结束

ec2-54-196-184-11.compute-1.amazonaws.com 38：

ec2-54-196-184-11.compute-1.amazonaws.com

ec2-54-196-184-11.compute-1.amazonaws.com

ec2-54-196-184-11.compute-1.amazonaws.com

ec2-54-196-184-11.compute-1.amazonaws.com编译的资源：

ec2-54-196-184-11.compute-1.amazonaws.com ——————

ec2-54-196-184-11.compute-1.amazonaws.com＃声明在/var/chef/cache/cookbooks/cook_aws/recipes/ebs.rb:26:in`from_file'

ec2-54-196-184-11.compute-1.amazonaws.com

ec2-54-196-184-11.compute-1.amazonaws.com aws_ebs_volume（“ip-10-140-10-132.volume15”）

ec2-54-196-184-11.compute-1.amazonaws.com action [：create，：attach]

ec2-54-196-184-11.compute-1.amazonaws.com重试0

ec2-54-196-184-11.compute-1.amazonaws.com retry_delay 2

ec2-54-196-184-11.compute-1.amazonaws.com cookbook_name“cook_aws”

ec2-54-196-184-11.compute-1.amazonaws.com recipe_name“ebs”

ec2-54-196-184-11.compute-1.amazonaws.com aws_access_key“XXXXXXXXXXXXXXXXXXXXX”

ec2-54-196-184-11.compute-1.amazonaws.com aws_secret_access_key“XXXXXXXXXXXXXXXXXXXXX”

ec2-54-196-184-11.compute-1.amazonaws.com设备“/ dev / xvdf”

ec2-54-196-184-11.compute-1.amazonaws.com大小50

ec2-54-196-184-11.compute-1.amazonaws.com结束

ec2-54-196-184-11.compute-1.amazonaws.com

ec2-54-196-184-11.compute-1.amazonaws.com

ec2-54-196-184-11.compute-1.amazonaws.com

ec2-54-196-184-11.compute-1.amazonaws.com [2014-06-26T18：17：53 + 00：00]错误：运行exception处理程序

ec2-54-196-184-11.compute-1.amazonaws.com [2014-06-26T18：17：53 + 00：00]错误：exception处理完成

ec2-54-196-184-11.compute-1.amazonaws.com [2014-06-26T18：17：53 + 00：00]致命：Stacktrace转储到/var/chef/cache/chef-stacktrace.out ec2 -54-196-184-11.compute-1.amazonaws.com厨师客户失败。 2资源更新

ec2-54-196-184-11.compute-1.amazonaws.com [2014-06-26T18：17：54 + 00：00] FATAL：Chef :: Exceptions :: ChildConvergeError：厨师跑步过程退出失败（退出代码1）

 { "Version": "2012-10-17", "Statement": [ { "NotAction": [ "ec2:RunInstances*" ], "Effect": "Allow", "Resource": "*" }, { "Effect": "Allow", "Action": "elasticloadbalancing:*", "Resource": "*" }, { "Effect": "Allow", "Action": "cloudwatch:*", "Resource": "*" }, { "Effect": "Allow", "Action": "autoscaling:*", "Resource": "*" } ]