IAM策略未啓動

Question

我已將下面的自定義IAM作爲內聯策略附加到IAM用戶，但是當我嘗試通過用戶登錄啓動EC2實例時，它不工作。我的要求是允許用戶只啓動t2 .micro實例。

{ 
    "Version": "2012-10-17", 
    "Statement": [ 
     { 
      "Effect": "Allow", 
      "Action": [ 
       "ec2:DescribeInstances", 
       "ec2:DescribeImages", 
       "ec2:DescribeKeyPairs", 
       "ec2:DescribeVpcs", 
       "ec2:DescribeSubnets", 
       "ec2:DescribeSecurityGroups" 
      ], 
      "Resource": "*" 
     }, 
     { 
      "Effect": "Allow", 
      "Action": "ec2:RunInstances", 
      "Resource": [ 
       "arn:aws:ec2:us-east-1:xxxxxxxxx:network-interface/*", 
       "arn:aws:ec2:us-east-1: xxxxxxxxx:volume/*", 
       "arn:aws:ec2:us-east-1: xxxxxxxxx:key-pair/*", 
       "arn:aws:ec2:us-east-1: xxxxxxxxx:security-group/*", 
       "arn:aws:ec2:us-east-1: xxxxxxxxx:subnet/*" 
      ] 
     }, 
     { 
      "Effect": "Allow", 
      "Action": "ec2:RunInstances", 
      "Resource": [ 
       "arn:aws:ec2:us-east-1: xxxxxxxxx:instance/*" 
      ], 
      "Condition": { 
       "StringEquals": { 
        "ec2:InstanceType": "t2.micro" 
       } 
      } 
     } 
    ] 
} 

任何猜測可能是什麼問題？

Answer 1

我認爲你們的政策缺乏如下：

"arn:aws:ec2:us-east-1::image/ami-*" 

或者，您可以定義一個特定的形象：

"arn:aws:ec2:us-east-1::image/ami-xxxxxxxx" 

Answer 2

而不是限制允許，你可以允許ec2:*但增加了這個方針， 否認除了t2.micro之外的任何東西：

{ 
    "Action": [ 
    "ec2:RunInstances" 
    ], 
    "Effect": "Deny", 
    "Resource": "arn:aws:ec2:*:*:instance/*", 
    "Condition": { 
    "StringNotEquals": { 
     "ec2:InstanceType": [ 
     "t2.micro" 
     ] 
    } 
    } 
}, 

但是，要小心，因爲有人可以啓動t2.micro，停止它，修改實例類型，然後重新啓動它！

爲了防止這種情況，你可以添加：

{ 
    "Action": [ 
    "ec2:ModifyInstanceAttribute" 
    ], 
    "Effect": "Deny", 
    "Resource": "*" 
},