无法基于标签拒绝快照创建。
0
【以下的问题经过翻译处理】 客户想要阻止创建资源,除非它们具有特定的标签。我目前正在使用以下SCP处理EC2快照、卷和实例:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "GRAPPTAG2",
"Effect": "Deny",
"Action": [
"ec2:RunInstances",
"ec2:CreateVolume",
"ec2:CreateSnapshot"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*::snapshot/*"
],
"Condition": {
"Null": {
"aws:RequestTag/application": "true"
}
}
}
]
}
但这个策略不允许我创建EC2快照,无论我是否指定标签,但它适用于创建EBS卷或EC2实例。 Now If I separate the ec2:CreateSnapshot into its own statement then it works as expected like the following: 现在,如果我将ec2:CreateSnapshot分离出来,写一个它自己的语句,它就像下面所示一样按预期工作:
enter code here
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "GRAPPTAG2",
"Effect": "Deny",
"Action": [
"ec2:RunInstances",
"ec2:CreateVolume"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*"
],
"Condition": {
"Null": {
"aws:RequestTag/application": "true"
}
}
},
{
"Sid": "GRAPPTAG3",
"Effect": "Deny",
"Action": [
"ec2:CreateSnapshot"
],
"Resource": [
"arn:aws:ec2:*::snapshot/*"
],
"Condition": {
"Null": {
"aws:RequestTag/application": "true"
}
}
}
]
}
因此,我想知道这是为什么以及是否有任何方式将它们合并成一个语句。
1 Antwort
- Neueste
- Die meisten Stimmen
- Die meisten Kommentare
0
【以下的回答经过翻译处理】 以下策略确保只有 EC2 实例、卷和快照在具有除空值以外的任何值的“应用程序”键时才会启动。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"ec2:CreateSnapshot",
"ec2:CreateVolume",
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:*::snapshot/*",
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*"
],
"Condition": {
"StringNotLike": {
"aws:RequestTag/application": "?*"
}
}
}
]
}
Relevanter Inhalt
AWS OFFICIALAktualisiert vor 7 Monaten- AWS OFFICIALAktualisiert vor 3 Jahren
- AWS OFFICIALAktualisiert vor einem Jahr
- AWS OFFICIALAktualisiert vor 2 Jahren