允许AWS IAM用户启动只有一个EC2实例 [英] Allow AWS IAM user to launch only one ec2 instance

问题描述

在亚马逊AWS，我想给我的IAM注册（Windows）中的用户一个很小的API为基础的计划，将推出AMI的定制实例，然后她的计算机连接到它。容易 - 但是，如果相同的用户应尽量推出而第一仍在运行（从同一个或另一个机）的另一个实例中，第二和后续尝试必须失败。将AMI将多个用户之间共享。实例将是唯一的用户。

In Amazon AWS, I would like to give my IAM-registered (Windows) user a small API-based program that will launch a custom AMI-based instance and then connect her machine to it. Easy - but if the same user should try to launch another instance while the first is still running (from the same or another machine), the second and subsequent attempts must fail. The AMI will be shared between multiple users. The instance will be unique to the user.

请注意，这个问题一些类似的问题不同，因为我需要启动的实例上的需求，但让没有进一步的情况。我们的目标是prevent从比被许可使用更多的应用程序。

Note that this problem differs from some similar questions because I need to launch the instance on demand, but allow no further instances. The goal is to prevent an application from being used more than is licensed.

理想的检测和preventing这将一切发生在AWS的一面，因为它是更安全的。

Ideally detecting and preventing this would all happen on the AWS side, because it is more secure.

在客户端，我可以看到，我可以使用标签来做到这一点 - 标签与用户名已启动实例，并允许一个实例启动之前搜索的标签。

On the client side, I can see how I could use tags to do this - tag the launched instance with the users name, and search for tags before allowing an instance to start.

有没有办法做到这一点在服务器端，与IAM策略条件还是什么？

Is there a way to do it on the server side, with IAM policy conditions or something?

推荐答案

当然。这里有一个简单的例子，在那里我已经给所有EC2操作的用户访问，除了那些我已经明确拒绝，如果存在与键MyTag的和值MyTagValue一个ResourceTag。

Sure. Here's a simple example, where I've given the user access to all ec2 actions except for those I've explicitly denied if a ResourceTag with the key "MyTag" and value "MyTagValue" exist.

被拒绝的行为：

• <一个href="http://docs.aws.amazon.com/AWSEC2/latest/APIReference/ApiReference-query-PurchaseReservedInstancesOffering.html">PurchaseReservedInstancesOffering
• <一个href="http://docs.aws.amazon.com/AWSEC2/latest/APIReference/ApiReference-query-RequestSpotInstances.html">RequestSpotInstances
• <一个href="http://docs.aws.amazon.com/AWSEC2/latest/APIReference/ApiReference-query-RunInstances.html">RunInstances

• PurchaseReservedInstancesOffering
• RequestSpotInstances
• RunInstances

例如：

{
  "Statement": [
    {
      "Action": [
        "ec2:PurchaseReservedInstancesOffering",
        "ec2:RequestSpotInstances",
        "ec2:RunInstances"
      ],
      "Effect": "Deny",
      "Resource": "*",
      "Condition": {
        "StringLike": {
          "ec2:ResourceTag/MyTag": "MyTagValue"
        }
      }
    },
    {
      "Action": "ec2:*",
      "Effect": "Allow",
      "Resource": "*"
    }   
  ]
}

下面是从 IAM策略模拟器：

这些行动的允许的时，该标签不存在，是一些其他的价值，等等。

Those actions are allowed when that tag doesn't exist, is some other value, etc.

此外，EC2允许操作动作：EC2：*？是提供了一个例子......你可以删除整个块或使用它作为一个模板，开始只允许一组特定的EC2行动，以你的用户。

Also, the ec2 allow action "Action": "ec2:*" was for sake of example... you can remove that whole block or use it as a template to begin allowing only a specific set of EC2 actions to your users.

这篇关于允许AWS IAM用户启动只有一个EC2实例的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！