- 최신
- 최다 투표
- 가장 많은 댓글
So far, permission policies haven't evaluated seven specific EC2-specific condition keys and all the global condition keys for the snapshot specified for ec2:CreateVolume operations or as the source snapshot for ec2:CopySnapshot operations. The seven EC2-specific keys are ec2:ProductCode, ec2:Encrypted, ec2:VolumeSize, ec2:ParentSnapshot, ec2:Owner, ec2:ParentVolume, and ec2:SnapshotTime.
What AWS is changing today is that the condition keys start to be evaluated for the source snapshot in those operations.
If you received the health notification, you probably have one of the keys contained in some policy applied in your account. It doesn't necessarily mean that the change would break anything, but for example, if you had a "Deny" statement in some of your policies blocking operations when they contain the ec2:Encrypted
key with a false
value, then before the change, that would have prevented creating unencrypted EBS volumes, but after the change, it would additionally prevent volumes from being created from unencrypted snapshots. The EBS snapshots of public AMIs, such as those that most would use to launch basic, uncustomised virtual servers, are unencrypted, so the preexisting Deny statement would suddenly start blocking regular server launches. Previously, the ec2:Encrypted
key wouldn't have been present in ec2:CreateVolume
operations with the snapshot as the resource, and that's why even a broadly applied Deny statement wouldn't have matched it.
Of the global condition keys (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html), it would probably be keys like aws:ResourceTag/tag-key
, aws:ResourceAccount
, or aws:ResourceOrgID
that are most typically used to restrict operations in a way that might lead to access to the snapshots to be blocked inadvertently. For example, if creating volumes was meant to require certain tags but the policy statement isn't scoped to resources of the volume type, the restrictions would also start to get evaluated for the source snapshots from which volumes are created.
If you notice anything not working after the change is implemented, you should review the policies applied to the acting principal and check for statements that either allow actions conditionally based on any of those seven EC2 keys or the global condition keys, or explicitly deny actions based on them, and adjust them so that the actions that are needed are permitted. If you have CloudTrail logs sent to an S3 bucket and have Athena or another solution for analysing them, you can look for operations with eventSource
= ec2.amazonaws.com
and errorCode
"is not null" to find them. Note that the logged eventName might not be CreateVolume, for example, but RunInstances or another operation that gets the associated CreateVolume permission authorised as part of executing the parent operation.
Hello @Intros
To modify policy permissions for the AWS CreateVolume and CreateSnapshot EBS API actions, follow these steps:
Step 1: Identify Required Permissions Determine the specific permissions needed for the CreateVolume and CreateSnapshot actions. The basic permissions required are:
ec2:CreateVolume ec2:CreateSnapshot
Step 2: Update IAM Policy You need to update the IAM policy associated with the user or role that will perform these actions. Here’s how to do it:
Navigate to IAM in the AWS Management Console:
Go to the AWS Management Console. Select "IAM" from the services menu. Find the User or Role:
Click on "Users" or "Roles" depending on who needs the permissions. Select the specific user or role. Attach or Edit Policy:
If you need to create a new policy, click on "Add permissions" and then "Create policy". If you are editing an existing policy, click on the policy name and then "Edit policy". Add Permissions:
In the policy editor, you can use the JSON tab to add the following permissions: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:CreateVolume", "ec2:CreateSnapshot" ], "Resource": "*" } ] } Adjust the "Resource" field as necessary to restrict access to specific resources. Review and Save:
Review the changes and click "Review policy" or "Save changes" to apply the new permissions.
Step 3: Test Permissions After updating the policy, test the permissions by attempting to create a volume and a snapshot using the AWS CLI or SDK to ensure that the changes were successful.
Final Answer You need to add ec2:CreateVolume and ec2:CreateSnapshot permissions to the IAM policy for the relevant user or role in AWS IAM.
If the Answer is helpful, please click Accept Answer
& UPVOTE
, this can be beneficial to other community members.
관련 콘텐츠
- AWS 공식업데이트됨 2년 전
- AWS 공식업데이트됨 일 년 전