如何限制IAM策略中ec2:RunInstances的EC2 EBS卷大小? [英] How to limit EC2 EBS volume size for ec2:RunInstances in IAM policy?
问题描述
我现在拥有的IAM策略能够限制实例类型,但是我也希望能够将EBS卷大小限制为低于某个值。我将如何修改以下JSON IAM策略?最好是我希望有一些类似条件的东西: IntegerLessThanOrEquals,但是手动指定每个数字是可以接受的,因为我需要将其限制为10 GiB。
The IAM policy I have now is able to limit the instance type, but I want to also be able to limit the EBS volume size to below a certain value. How would I modify the following JSON IAM policy? Preferably I'd want something along the lines of a "Condition": "IntegerLessThanOrEquals", but manually specifying each number is acceptable, as I need to limit it to 10 GiB.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AdminPermissions",
"Effect": "Allow",
"Action": [
"ssm:SendCommand",
"ssm:GetCommandInvocation",
"ec2:StopInstances",
"ec2:DescribeSecurityGroups",
"ec2:DescribeNetworkInterfaces",
"ec2:CreateTags"
],
"Resource": "*"
},
{
"Sid": "RunInstanceResourcePermissions",
"Effect": "Allow",
"Action": [
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*::image/*"
]
},
{
"Sid": "LimitInstanceTypes",
"Effect": "Allow",
"Action": [
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*"
],
"Condition": {
"StringEquals": {
"ec2:InstanceType": [
"t2.nano",
"t2.micro",
"t2.small",
"t2.medium"
]
}
}
}
]
}
编辑:答案
这是他解决了我。语句 LimitInstanceVolumeSize是新语句,并且资源 arn:aws:ec2:::volume / *已移至其中。
Answer
This is the solution I got. The Statement "LimitInstanceVolumeSize" is the new one, and the resource "arn:aws:ec2:::volume/*" was moved to it.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AdminPermissions",
"Effect": "Allow",
"Action": [
"ssm:SendCommand",
"ssm:GetCommandInvocation",
"ec2:StopInstances",
"ec2:DescribeSecurityGroups",
"ec2:DescribeNetworkInterfaces",
"ec2:CreateTags"
],
"Resource": "*"
},
{
"Sid": "RunInstanceResourcePermissions",
"Effect": "Allow",
"Action": [
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*::image/*"
]
},
{
"Sid": "LimitInstanceVolumeSize",
"Effect": "Allow",
"Action": [
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:*:*:volume/*"
],
"Condition": {
"NumericLessThanEquals": {
"ec2:VolumeSize": "16"
}
}
},
{
"Sid": "LimitInstanceTypes",
"Effect": "Allow",
"Action": [
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*"
],
"Condition": {
"StringEquals": {
"ec2:InstanceType": [
"t2.nano",
"t2.micro",
"t2.small",
"t2.medium"
]
}
}
}
]
}
推荐答案
您可以通过使用条件键 ec2:VolumeSize
实现此目的,资源将是 arn :aws:ec2:region:account:volume / *
,API Action将为 AttachVolume
。
You can achieve this by using Condition key ec2:VolumeSize
the resource would be arn:aws:ec2:region:account:volume/*
and API Action would be AttachVolume
.
谢谢
这篇关于如何限制IAM策略中ec2:RunInstances的EC2 EBS卷大小?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!