Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

Deny specific version of Ubuntu AMI instances being deployed

0

How can prevent users from deploying a specific flavor of Ubuntu say for example: 18.0.4 LTS?

I still want them to be able to deploy versions 21 and higher and other versions of Linux such as CentOS just not this specific version.

Argomenti
Computazionali
Tag
Provisioning di LinuxAmazon EC2Linux
Lingua
English
Hex
posta un anno fa166 visualizzazioni
2 Risposte
1

You could put conditions on user IAM roles to prevent specific AMIs, but there isn't a mechanism to prevent a certain OS in general.

profile picture
jhmartin1
con risposta 10 mesi fa
0

Thanks, I actually got it working by creating two separate policies and when scoping with two default policies that allow other EC2 instances gave me the intended results of denying any AMI containing CentOS but still allowing any other AMI image from being deployed.

The first policy below I created denies all CentOS by searching for an attribute that contains any wording that contains centos.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "cloudwatch:*",
                "elasticloadbalancing:*",
                "autoscaling:*"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "iam:CreateServiceLinkedRole",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "iam:AWSServiceName": [
                        "autoscaling.amazonaws.com",
                        "ec2scheduled.amazonaws.com",
                        "elasticloadbalancing.amazonaws.com",
                        "spot.amazonaws.com",
                        "spotfleet.amazonaws.com",
                        "transitgateway.amazonaws.com"
                    ]
                }
            }
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Deny",
            "Action": "ec2:*",
            "Resource": "*",
            "Condition": {
                "StringEqualsIgnoreCase": {
                    "ec2:ImageID": "ami-002070d43b0a4f171"
                },
                "ForAnyValue:StringLike": {
                    "ec2:Attribute/Condition": [
                        "Linux/Unix",
                        "CentOS*"
                    ]
                }
            }
        }
    ]
}

Then the second policy I created denies marketplace instances from being launched except ones that I own or from Amazon:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DenyMarketPlaceAMIAccess",
            "Effect": "Deny",
            "Action": [
                "ec2:RunScheduledInstances",
                "ec2:RunInstances"
            ],
            "Resource": "arn:aws:ec2:*::image/ami-*",
            "Condition": {
                "StringNotEquals": {
                    "ec2:Owner": [
                        "amazon",
                        "self"
                    ]
                }
            }
        }
    ]
}

Once these two are created I scoped these two policies as well as the two native policies to allow other EC2 instances from being launched.

  1. AmazonEC2FullAccess
  2. AWSCloudShellFullAccess
  3. Custom policy 1
  4. Custom policy 2

Example:

Example

Hex
con risposta 10 mesi fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente