- Neueste
- Die meisten Stimmen
- Die meisten Kommentare
You could put conditions on user IAM roles to prevent specific AMIs, but there isn't a mechanism to prevent a certain OS in general.
Thanks, I actually got it working by creating two separate policies and when scoping with two default policies that allow other EC2 instances gave me the intended results of denying any AMI containing CentOS but still allowing any other AMI image from being deployed.
The first policy below I created denies all CentOS by searching for an attribute that contains any wording that contains centos.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"cloudwatch:*",
"elasticloadbalancing:*",
"autoscaling:*"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": [
"autoscaling.amazonaws.com",
"ec2scheduled.amazonaws.com",
"elasticloadbalancing.amazonaws.com",
"spot.amazonaws.com",
"spotfleet.amazonaws.com",
"transitgateway.amazonaws.com"
]
}
}
},
{
"Sid": "VisualEditor2",
"Effect": "Deny",
"Action": "ec2:*",
"Resource": "*",
"Condition": {
"StringEqualsIgnoreCase": {
"ec2:ImageID": "ami-002070d43b0a4f171"
},
"ForAnyValue:StringLike": {
"ec2:Attribute/Condition": [
"Linux/Unix",
"CentOS*"
]
}
}
}
]
}
Then the second policy I created denies marketplace instances from being launched except ones that I own or from Amazon:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyMarketPlaceAMIAccess",
"Effect": "Deny",
"Action": [
"ec2:RunScheduledInstances",
"ec2:RunInstances"
],
"Resource": "arn:aws:ec2:*::image/ami-*",
"Condition": {
"StringNotEquals": {
"ec2:Owner": [
"amazon",
"self"
]
}
}
}
]
}
Once these two are created I scoped these two policies as well as the two native policies to allow other EC2 instances from being launched.
- AmazonEC2FullAccess
- AWSCloudShellFullAccess
- Custom policy 1
- Custom policy 2
Example:
Relevanter Inhalt
- AWS OFFICIALAktualisiert vor einem Jahr
- Wie kann ich meine sekundäre Netzwerkschnittstelle in meiner Ubuntu EC2-Instance zum Laufen bringen?AWS OFFICIALAktualisiert vor einem Jahr
- AWS OFFICIALAktualisiert vor einem Jahr
- AWS OFFICIALAktualisiert vor 10 Monaten