AWS IAM仅显示未标记的EC2实例 [英] AWS IAM Show only untagged EC2 instances

问题描述

我正在尝试引入访客IAM策略，以限制对 EC2 实例的访问。
我正在尝试达到此目的，来宾策略仅显示未标记为部门或未标记为部门=访客的实例。

I'm attempting to introduce a guest IAM policy to restrict the access to the EC2 instances. I'm trying to reach that, the guest policy shows only that instances, which is not tagged with 'Department' or tagged with 'Department = Guest'.

这是我为此制定的政策：

Here is the policy, that I made for this:

政策：

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "VisualEditor0",
        "Effect": "Allow",
        "Action": [
            "ec2:Describe*"
        ],
        "Resource": "*",
        "Condition": {
            "StringEquals": {
                "ec2:ResourceTag/Department": "Guest"
            },
            "Null": {
                "ec2:ResourceTag/Department": "true"
            }
        }
    }
]}

部门=来宾 的比较工作正常，但是对资源标记的存在检查不起作用。

The "Department = Guest" comparison is working well, but the Resource Tag existence check is not working.

还有其他方法可以列出吗？ e实例，这些实例没有'Department'标签？

Is there any other way to list the instances, which haven't got 'Department' tag?

推荐答案

用例来控制同一区域IAM中的哪些EC2资源用户无法看到基于标签（通过其他方式），因为所有EC2描述API调用不支持资源级别权限。

The use case to control which EC2 resources in same region IAM users can see based on tag (by other means) is not possible since all EC2 describe API calls do not support resource level permission.

因此，我们不能使用EC2条件（除了 ec2：Region ）和 ec2：Describe *操作。因此，您可以授予查看资源的权限，也可以不获取资源。

Hence we cannot use EC2 conditions (except ec2:Region) with "ec2:Describe*" action. So, either you give permission to see resources or don't.

这篇关于AWS IAM仅显示未标记的EC2实例的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！