Iam策略請求標記

Question

這是我試圖允許創建實例的策略，僅當它具有標記costcenter和dept值115和prod。但是當我測試它時，即使使用這些標記創建實例

{ 
 
      "Sid": "AllowTaggedInstances", 
 
      "Effect": "Allow", 
 
      "Action": "ec2:RunInstances", 
 
      "Resource": "arn:aws:ec2:us-east-1:729964090428:instance/*", 
 
      "Condition": { 
 
       "StringEquals": { 
 
        "aws:RequestTag/costcenter": "115", 
 
        "aws:RequestTag/dept": "prod" 
 
       }, 
 
       "ForAllValues:StringEquals": { 
 
        "aws:TagKeys": [ 
 
         "costcenter", 
 
         "dept" 
 
        ] 
 
       } 
 
      } 
 
     },

Answer 1

，你表現出的政策，沒有足夠的權限來創建一個實例。這意味着你有另一個策略或角色在重寫這個策略或角色。

在您的策略中，將「RequestTag」替換爲「ResourceTag」。

注意：使用條件的最佳策略不使用「如果允許」，而是使用「拒絕如果不是這個」。拒絕將覆蓋所有允許。

這裏是來幫助你ResourceTags鏈接：

EC2 Resource Tags

Answer 2

你的政策是不夠的權限和政策限制。
如果你想允許用戶與標籤costcenter:115 and dept:prod創建新實例，請嘗試以下策略：

{ 
    "Version": "2012-10-17", 
    "Statement": [ 
    { 
     "Effect": "Allow", 
     "Action": [ 
     "ec2:Describe*", 
     "ec2:GetConsole*" 
     ], 
     "Resource": "*" 
    }, 
    { 
     "Effect": "Allow", 
     "Action": [ 
     "ec2:RunInstances" 
     ], 
     "Resource": [ 
     "arn:aws:ec2:region::image/*", 
     "arn:aws:ec2:region:account:subnet/*", 
     "arn:aws:ec2:region:account:network-interface/*", 
     "arn:aws:ec2:region:account:security-group/*", 
     "arn:aws:ec2:region:account:key-pair/*" 
     ] 
    }, 
    { 
     "Effect": "Allow", 
     "Action": "ec2:RunInstances", 
     "Resource": [ 
     "arn:aws:ec2:region:account:instance/*" 
     ], 
     "Condition": { 
     "StringEquals": { 
      "aws:RequestTag/costcenter": "115", 
      "aws:RequestTag/dept": "prod" 
     }, 
     "ForAllValues:StringEquals": { 
      "aws:TagKeys": [ 
      "costcenter", 
      "dept" 
      ] 
     } 
     } 
    }, 
    { 
     "Effect": "Allow", 
     "Action": [ 
     "ec2:CreateTags" 
     ], 
     "Resource": "arn:aws:ec2:region:account:*/*", 
     "Condition": { 
     "StringEquals": { 
      "ec2:CreateAction": "RunInstances" 
     } 
     } 
    } 
    ] 
}