- 최신
- 최다 투표
- 가장 많은 댓글
Hello,
At this time, there isn't a way to restrict "ModifyInstanceAttribute" to specific condition or resource. The action "ModifyInstanceAttribute" does not support any resource level permissions or any condition keys.
https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html
I completely agree with you that this is a valid use case and these actions should support resource level permissions and conditions. This feature is requested by other customers as well and is a popular feature request. We are actively working on your feedback to address the issues listed in your post.
You can keep an eye on our blog[1] and news websites[2] for updates.
[1] http://aws.amazon.com/blogs/aws/
[2] http://aws.amazon.com/new/
Thanks for bringing this to our attention. Have a nice day :)
To restrict instance type change, uses the ec2:attribute service condition key as shown in the example below:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "ec2:ModifyInstanceAttribute",
"Resource": "*",
"Condition": {
"ForAnyValue:StringNotLike": {
"ec2:Attribute/InstanceType": [
"t3.*"
]
}
}
}
]
}
References:
[1]: ec2:Attribute condition key https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policy-structure.html#attribute-key
[2]: Multivalued context keys https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-single-vs-multi-valued-context-keys.html#reference_policies_condition-multi-valued-context-key
관련 콘텐츠
AWS 공식업데이트됨 8달 전
