我的帐户中有两个VPC。 一个用于DEV和一个用于生产。 我想要创build一个IAM用户,用户只能在控制台中看到DEV EC2实例,并且应该能够创build或重新启动实例。 他不应该看到生产EC2实例。 我尝试了以下政策,并得到错误为"An error occurred fetching address data: You are not authorized to perform this operation." 我的IAM政策…
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:Describe*", "ec2:RebootInstances", "ec2:RunInstances", "ec2:CreateTags" ], "Effect": "Allow", "Resource": "*", "Condition": { "StringEquals": { "ec2:Region:VPC": "us-west-2:vpc/vpc-00000000" } } } ] }
在这里,我可以在这里做一些事情。 但不能应用标签。 事情是用户不应该能够重命名任何其他标签在PRODUCTION VPC中,当我插入波纹pipe规则,然后用户可以更改其他VPC实例的标签以及…
{ "Effect": "Allow", "Action": "ec2:CreateTags", "Resource": [ "*" ] }
这是我目前的规则,可以读取其他VPC实例,但只能读取。 我很好。 但是我无法用标签创build实例…
{ "Version": "2012-10-17", "Statement": [ { "Sid": "NonResourceBasedReadOnlyPermissions", "Action": [ "ec2:Describe*", "ec2:CreateKeyPair", "ec2:CreateSecurityGroup", "iam:GetInstanceProfiles", "iam:ListInstanceProfiles" ], "Effect": "Allow", "Resource": "*" }, { "Sid": "IAMPassRoleToInstance", "Action": [ "iam:PassRole" ], "Effect": "Allow", "Resource": "arn:aws:iam::818755641843:role/EC2LaunchVansDEV" }, { "Sid": "AllowInstanceActions", "Effect": "Allow", "Action": [ "ec2:RebootInstances", "ec2:RunInstances", "ec2:StartInstances", "ec2:AttachVolume", "ec2:DetachVolume", "ec2:CreateTags" ], "Resource": "arn:aws:ec2:us-west-2:818755641843:instance/*", "Condition": { "StringEquals": { "ec2:InstanceProfile": "arn:aws:iam::818755641843:instance-profile/EC2LaunchVansDEV" } } }, { "Sid": "EC2RunInstances", "Effect": "Allow", "Action": [ "ec2:RunInstances", "ec2:CreateTags" ], "Resource": "arn:aws:ec2:us-west-2:818755641843:instance/*", "Condition": { "StringEquals": { "ec2:InstanceProfile": "arn:aws:iam::818755641843:instance-profile/EC2LaunchVansDEV" } } }, { "Sid": "EC2RunInstancesSubnet", "Effect": "Allow", "Action": [ "ec2:RunInstances", "ec2:CreateTags" ], "Resource": "arn:aws:ec2:us-west-2:818755641843:subnet/*", "Condition": { "StringEquals": { "ec2:vpc": "arn:aws:ec2:us-west-2:818755641843:vpc/vpc-5b0f3c3f" } } }, { "Sid": "RemainingRunInstancePermissions", "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:us-west-2:818755641843:volume/*", "arn:aws:ec2:us-west-2::image/*", "arn:aws:ec2:us-west-2::snapshot/*", "arn:aws:ec2:us-west-2:818755641843:network-interface/*", "arn:aws:ec2:us-west-2:818755641843:key-pair/*", "arn:aws:ec2:us-west-2:818755641843:security-group/*" ] }, { "Sid": "EC2VpcNonresourceSpecificActions", "Effect": "Allow", "Action": [ "ec2:DeleteNetworkAcl", "ec2:DeleteNetworkAclEntry", "ec2:DeleteRoute", "ec2:DeleteRouteTable", "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:RevokeSecurityGroupEgress", "ec2:RevokeSecurityGroupIngress", "ec2:DeleteSecurityGroup", "ec2:CreateTags" ], "Resource": "*", "Condition": { "StringEquals": { "ec2:vpc": "arn:aws:ec2:us-west-2:818755641843:vpc/vpc-5b0f3c3f" } } } ] }
DescribeInstances操作不能被ec2:Vpc条件限制。 实际上,它是不允许资源级权限的一组API操作的一部分,请在此处查看完整列表:
我相信你最好的办法是分成多个帐户,并在那里分离。
也可以看看:
现在不可能没有额外的技巧,如标签,因为这些行动不支持 VPC的条件:
RebootInstances StartInstances StopInstances TerminateInstances
但是它们都支持区域条件,所以你可能想把开发环境移到特定的区域。