仅授予实例访问标签本身的权限？ [英] Give an instance only access to tag itself?

问题描述

查看这篇文章这个家伙使用了一种策略（应用于角色）来让实例标记自己。

Looking at this post this guy used a policy (applied to a role) to let an instance tag itself.

我想要的是一样。我可以使用此策略，但是如果该实例只能标记自身而不是其他实例，那就太好了。

I want EXACTLY the same thing. I could use this policy, but it would be nice if the instance could only tag itself and not other instances.

我不能将$ {ec2：SourceInstanceARN}用作资源，因此我试图使用与策略变量求值的arn匹配的条件。

I can't use ${ec2:SourceInstanceARN} as the resource so I'm trying to use a condition that matches the arn that policy variable evaluates to.

此策略无法验证：（政策中的语法错误）

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "ec2:CreateTags",
                "ec2:DescribeTags",
                "ec2:DescribeInstances"
            ],
            "Effect": "Allow",
            "Resource": [
                "*"
            ],
            "Condition": {
                "ArnEquals": {
                    "ec2:SourceInstanceARN": "${ec2:SourceInstanceARN}"
                }
            }
        }
    ]
}

推荐答案

对于仅适用于ec2自我行动的策略，您可以不使用此策略。

For ec2 self-action only policy, you can go off of this. We utilize it for hosts to only be able to self-terminate, self tag, etc.

    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "SelfTaggingOnly",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateTags",
                "ec2:DeleteTags",
                "ec2:DescribeTags"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:ARN": "${ec2:SourceInstanceARN}"
                }
            }
        }
    ]
}

我写了一个小的powershell测试验证来确认。它尝试自标记，删除标记，然后尝试标记严格存在的主机，以验证 self领域之外的ec2操作尝试。在下面的验证结果中，第一轮使用上述策略，第二轮我删除了条件。

I wrote a small powershell test validation to confirm. It attempts to self-tag, remove the tag, then attempts to tag a host that exists strictly for validating the attempts of ec2 actions outside the realm of "self". In the output of my validation below, the first run utilizes the policy above, for the second run I removed the condition.

使用上述策略：

Create Tags for self: PASS!
Remove Tags from self: PASS!
Unable to modify another instance's tags: PASS!
You are not authorized to perform this operation. Encoded authorization failure message: b9KG8BIyxQs~truncated_encoded_output~

已删除条件：

Create Tags for self: PASS!
Remove Tags from self: PASS!
Validation falure! I am able to modify other instance's tags!

这篇关于仅授予实例访问标签本身的权限？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！