问题
I am trying to create a policy where some user can lauch instance with amid:ami-0fc61db8544a617ed specific and instancetype:t2.micro in a specific region with specific storage like 8gb I have this template
AWSTemplateFormatVersion: 2010-09-09
Description: ---
Policita para usuarios test
Parameters:
GroupTest1Parameter:
Type: String
Default: GroupTest1
Description: Este es el valor de entrada GroupTest1Parameter
Resources:
PolictyTest1:
Type: AWS::IAM::Policy
Properties:
PolicyName: PolictyTest1
Groups:
- Fn::ImportValue: !Sub "${GroupTest1Parameter}-VPCID"
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- 'ec2:RunInstances'
- 'cloudformation:Describe*'
- 'cloudformation:List*'
- 'cloudformation:Get*'
Resource: 'arn:aws:ec2:*:*:instance/*'
# Condition:
# StringEquals:
# ec2:ImageType: ami-0fc61db8544a617ed
Outputs:
PolictyTest1:
Description: politica que deniega
Value: !Ref PolictyTest1
Export:
Name: !Sub "${AWS::StackName}-VPCID"
But it does not work. The template creates fine, but when I am trying to test te policy by using a user test related to this policy, he can not lauch instances of ec2 I am reading https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html#amazonec2-actions-as-permissions
回答1:
To test your scenario, I did the following:
- Created an IAM User
- Assigned this in-line policy to the user:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:*:ACCOUNT:network-interface/*",
"arn:aws:ec2:*:ACCOUNT:volume/*",
"arn:aws:ec2:*:ACCOUNT:key-pair/*",
"arn:aws:ec2:*:ACCOUNT:security-group/*",
"arn:aws:ec2:*:ACCOUNT:subnet/*",
"arn:aws:ec2:*::image/ami-*"
]
},
{
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:*:ACCOUNT:instance/*"
],
"Condition": {
"StringEquals": {
"ec2:InstanceType": "t2.micro"
}
}
}
]
}
(Where ACCOUNT was set to my AWS Account ID.)
I was then able to successfully launch a t2.micro instance using:
aws ec2 run-instances --image-id ami-xxx --security-group-id sg-xxx --instance-type t2.micro
I tried changing it to t2.nano and received a UnauthorizedOperation error.
Please note that the above run-instances command was quite minimal. It intentionally did not attempt to specify things like:
- IAM Role
- Tags
- Keypair
These items require granting of additional permissions to the user. Therefore, when testing your policy, use a minimal set of requirements (similar to the above) to test the policy.
来源:https://stackoverflow.com/questions/61070012/how-to-create-a-policy-of-ec2-cloudformation-with-instancetype-t2-micro