Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso
AWS re:Postre:Post

Deny specific version of Ubuntu AMI instances being deployed

0

How can prevent users from deploying a specific flavor of Ubuntu say for example: 18.0.4 LTS?

I still want them to be able to deploy versions 21 and higher and other versions of Linux such as CentOS just not this specific version.

Temas
Cálculo
Etiquetas
Aprovisionamiento LinuxAmazon EC2Linux
Idioma
English
Hex
preguntada hace un año166 visualizaciones
2 Respuestas
1

You could put conditions on user IAM roles to prevent specific AMIs, but there isn't a mechanism to prevent a certain OS in general.

profile picture
jhmartin1
respondido hace 10 meses
0

Thanks, I actually got it working by creating two separate policies and when scoping with two default policies that allow other EC2 instances gave me the intended results of denying any AMI containing CentOS but still allowing any other AMI image from being deployed.

The first policy below I created denies all CentOS by searching for an attribute that contains any wording that contains centos.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "cloudwatch:*",
                "elasticloadbalancing:*",
                "autoscaling:*"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "iam:CreateServiceLinkedRole",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "iam:AWSServiceName": [
                        "autoscaling.amazonaws.com",
                        "ec2scheduled.amazonaws.com",
                        "elasticloadbalancing.amazonaws.com",
                        "spot.amazonaws.com",
                        "spotfleet.amazonaws.com",
                        "transitgateway.amazonaws.com"
                    ]
                }
            }
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Deny",
            "Action": "ec2:*",
            "Resource": "*",
            "Condition": {
                "StringEqualsIgnoreCase": {
                    "ec2:ImageID": "ami-002070d43b0a4f171"
                },
                "ForAnyValue:StringLike": {
                    "ec2:Attribute/Condition": [
                        "Linux/Unix",
                        "CentOS*"
                    ]
                }
            }
        }
    ]
}

Then the second policy I created denies marketplace instances from being launched except ones that I own or from Amazon:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DenyMarketPlaceAMIAccess",
            "Effect": "Deny",
            "Action": [
                "ec2:RunScheduledInstances",
                "ec2:RunInstances"
            ],
            "Resource": "arn:aws:ec2:*::image/ami-*",
            "Condition": {
                "StringNotEquals": {
                    "ec2:Owner": [
                        "amazon",
                        "self"
                    ]
                }
            }
        }
    ]
}

Once these two are created I scoped these two policies as well as the two native policies to allow other EC2 instances from being launched.

  1. AmazonEC2FullAccess
  2. AWSCloudShellFullAccess
  3. Custom policy 1
  4. Custom policy 2

Example:

Example

Hex
respondido hace 10 meses

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas

Contenido relevante