IAM策略来限制对一个VPC的访问

您很可能需要按照示例5的方式重新构build您的IAM策略 。在控制对Amazon VPC资源的访问中 启动实例到特定的VPC中：

 { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": "arn:aws:ec2:region:account:subnet/*", "Condition": { "StringEquals": { "ec2:Vpc": "arn:aws:ec2:region:account:vpc/vpc-1a2b3c4d" } } }, ... ] } 

也就是说，可用资源（及其粒度）是特定于每个API操作的，因此对于本例中的RunInstances，将应用于特定子网中的EC2资源，而该资源又是VPC的一部分; 因此您需要定位子网，但是可以通过上面列出的IAM策略条件的ec2:Vpc属性进一步限制可能子网的集合。

你不能基于VPC做到这一点。 AWS不支持资源级权限的EC2-Describe * API操作。 相反，您可以在安全组上应用基于单个VPC的相似内容，如下所示：

 { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:AcceptVpcPeeringConnection", "ec2:AllocateAddress", "ec2:AssignPrivateIpAddresses", "ec2:AssociateAddress", "ec2:AssociateDhcpOptions", "ec2:AssociateRouteTable", "ec2:AttachClassicLinkVpc", "ec2:AttachInternetGateway", "ec2:AttachNetworkInterface", "ec2:AttachVolume", "ec2:AttachVpnGateway", "ec2:BundleInstance", "ec2:ConfirmProductInstance", "ec2:CopyImage", "ec2:CopySnapshot", "ec2:CreateCustomerGateway", "ec2:CreateDhcpOptions", "ec2:CreateFlowLogs", "ec2:CreateImage", "ec2:CreateInstanceExportTask", "ec2:CreateInternetGateway", "ec2:CreateKeyPair", "ec2:CreateNatGateway", "ec2:CreateNetworkAcl", "ec2:CreateNetworkAclEntry", "ec2:CreateNetworkInterface", "ec2:CreatePlacementGroup", "ec2:CreateReservedInstancesListing", "ec2:CreateRoute", "ec2:CreateRouteTable", "ec2:CreateSnapshot", "ec2:CreateSpotDatafeedSubscription", "ec2:CreateSubnet", "ec2:CreateTags", "ec2:CreateVolume", "ec2:CreateVpc", "ec2:CreateVpcEndpoint", "ec2:CreateVpcPeeringConnection", "ec2:CreateVpnConnection", "ec2:CreateVpnConnectionRoute", "ec2:CreateVpnGateway", "ec2:DeleteCustomerGateway", "ec2:DeleteDhcpOptions", "ec2:DeleteFlowLogs", "ec2:DeleteInternetGateway", "ec2:DeleteKeyPair", "ec2:DeleteNatGateway", "ec2:DeleteNetworkAcl", "ec2:DeleteNetworkAclEntry", "ec2:DeleteNetworkInterface", "ec2:DeletePlacementGroup", "ec2:DeleteRoute", "ec2:DeleteRouteTable", "ec2:DeleteSnapshot", "ec2:DeleteSpotDatafeedSubscription", "ec2:DeleteSubnet", "ec2:DeleteTags", "ec2:DeleteVolume", "ec2:DeleteVpc", "ec2:DeleteVpcEndpoints", "ec2:DeleteVpcPeeringConnection", "ec2:DeleteVpnConnection", "ec2:DeleteVpnConnectionRoute", "ec2:DeleteVpnGateway", "ec2:DeregisterImage", "ec2:DescribeAccountAttributes", "ec2:DescribeAddresses", "ec2:DescribeAvailabilityZones", "ec2:DescribeBundleTasks", "ec2:DescribeClassicLinkInstances", "ec2:DescribeConversionTasks", "ec2:DescribeCustomerGateways", "ec2:DescribeDhcpOptions", "ec2:DescribeExportTasks", "ec2:DescribeFlowLogs", "ec2:DescribeHosts", "ec2:DescribeImageAttribute", "ec2:DescribeImages", "ec2:DescribeImportImageTasks", "ec2:DescribeImportSnapshotTasks", "ec2:DescribeInstanceAttribute", "ec2:DescribeInstances", "ec2:DescribeInstanceStatus", "ec2:DescribeInternetGateways", "ec2:DescribeKeyPairs", "ec2:DescribeMovingAddresses", "ec2:DescribeNatGateways", "ec2:DescribeNetworkAcls", "ec2:DescribeNetworkInterfaceAttribute", "ec2:DescribeNetworkInterfaces", "ec2:DescribePlacementGroups", "ec2:DescribePrefixLists", "ec2:DescribeRegions", "ec2:DescribeReservedInstances", "ec2:DescribeReservedInstancesListings", "ec2:DescribeReservedInstancesModifications", "ec2:DescribeReservedInstancesOfferings", "ec2:DescribeRouteTables", "ec2:DescribeSnapshotAttribute", "ec2:DescribeSnapshots", "ec2:DescribeSpotDatafeedSubscription", "ec2:DescribeSpotFleetInstances", "ec2:DescribeSpotFleetInstances", "ec2:DescribeSpotFleetRequestHistory", "ec2:DescribeSpotFleetRequestHistory", "ec2:DescribeSpotFleetRequests", "ec2:DescribeSpotFleetRequests", "ec2:DescribeSpotInstanceRequests", "ec2:DescribeSpotPriceHistory", "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVolumeAttribute", "ec2:DescribeVolumes", "ec2:DescribeVolumeStatus", "ec2:DescribeVpcAttribute", "ec2:DescribeVpcClassicLink", "ec2:DescribeVpcEndpoints", "ec2:DescribeVpcEndpointServices", "ec2:DescribeVpcPeeringConnections", "ec2:DescribeVpcs", "ec2:DescribeVpnConnections", "ec2:DescribeVpnGateways", "ec2:DetachClassicLinkVpc", "ec2:DetachInternetGateway", "ec2:DetachNetworkInterface", "ec2:DetachVolume", "ec2:DetachVpnGateway", "ec2:DisableVgwRoutePropagation", "ec2:DisableVpcClassicLink", "ec2:DisassociateAddress", "ec2:DisassociateRouteTable", "ec2:EnableVgwRoutePropagation", "ec2:EnableVolumeIO", "ec2:EnableVpcClassicLink", "ec2:GetConsoleOutput", "ec2:GetPasswordData", "ec2:ImportImage", "ec2:ImportInstance", "ec2:ImportKeyPair", "ec2:ImportSnapshot", "ec2:ImportVolume", "ec2:ModifyHosts", "ec2:ModifyIdFormat", "ec2:ModifyImageAttribute", "ec2:ModifyInstanceAttribute", "ec2:ModifyInstancePlacement", "ec2:ModifyNetworkInterfaceAttribute", "ec2:ModifyReservedInstances", "ec2:ModifySnapshotAttribute", "ec2:ModifySpotFleetRequest", "ec2:ModifySubnetAttribute", "ec2:ModifyVolumeAttribute", "ec2:ModifyVpcAttribute", "ec2:ModifyVpcEndpoint", "ec2:ModifyVpcPeeringConnectionOptions", "ec2:MonitorInstances", "ec2:MoveAddressToVpc", "ec2:PurchaseReservedInstancesOffering", "ec2:RebootInstances", "ec2:RegisterImage", "ec2:RejectVpcPeeringConnection", "ec2:ReleaseAddress", "ec2:ReportInstanceStatus", "ec2:RestoreAddressToClassic", "ec2:RunInstances", "ec2:StartInstances", "ec2:StopInstances", "ec2:TerminateInstances", "ec2:UnassignPrivateIpAddresses", "ec2:UnmonitorInstances", "s3:*", "elasticloadbalancing:*", "autoscaling:*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:DescribeSecurityGroups", "ec2:DescribeTags" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:AuthorizeSecurityGroupIngress", "ec2:RevokeSecurityGroupIngress", "ec2:AuthorizeSecurityGroupEgress", "ec2:RevokeSecurityGroupEgress" ], "Resource": "arn:aws:ec2:REGION:ACCOUNTNUMBER:security-group/*", "Condition": { "ArnEquals": { "ec2:Vpc": "arn:aws:ec2:REGION:ACCOUNTNUMBER:vpc/VPCID" } } } ] } 

您可以根据需要更改EC2操作。