2 Answers
- Newest
- Most votes
- Most comments
0
Yes you can do this, this policy blocked me from launching an ec2 instance in "us-east-1a"
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Deny",
"Action": [
"ec2:*"
],
"Resource": [
"*"
],
"Condition": {
"ForAnyValue:StringEquals": {
"ec2:AvailabilityZone": [
"us-east-1a"
]
}
}
}
]
}
Decoded failure message
{
"allowed": false,
"explicitDeny": true,
"matchedStatements": {
"items": [
{
"statementId": "Statement1",
"effect": "DENY",
"principals": {
"items": [
{
"value": "xxxxxxxxxxxxxxxx"
}
]
},
"principalGroups": {
"items": []
},
"actions": {
"items": [
{
"value": "ec2:RunInstances"
},
{
"value": "ec2:*"
}
]
},
"resources": {
"items": [
{
"value": "*"
}
]
},
"conditions": {
"items": [
{
"key": "ec2:AvailabilityZone",
"values": {
"items": [
{
"value": "us-east-1a"
}
]
}
}
]
}
}
]
},
0
You can add an inline policy and add a condition to to restrict access to availability zone.
answered 2 years ago
Relevant content
- Accepted Answerasked 2 years ago
- asked a day ago
AWS OFFICIALUpdated a year ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 4 months ago
