2 回答
- 最新
- 投票最多
- 评论最多
0
After talking with support, the issue is that CreateSecurityGroup
in a non-default VPC requires that the requester be authorized to call CreateSecurityGroup
on that VPC. The VPC component of CreateSecurityGroup
does not, however, support filtering on aws:RequestTag
. The solution is to use two seperate statements, one which grants CreateSecurityGroup
on security-group/*
and one which grants CreateSecurityGroup
on the VPC(s).
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "ec2:CreateSecurityGroup", "Resource": "arn:aws:ec2:*:XXXXXXXXX:security-group/*", "Condition": { "StringEquals": { "aws:RequestTag/CreatedBy": "Controller" } } }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": "ec2:CreateSecurityGroup", "Resource": "arn:aws:ec2:*:XXXXXXXXX:vpc/vpc-XXXXXXXXX" } { "Sid": "VisualEditor2", "Effect": "Allow", "Action": [ "ec2:Describe*", "ec2:CreateTags" ], "Resource": "*" } ] }
已回答 6 个月前
0
It states the required permission also needed is ec2:CreateTags
Does this user have the permission to CreateTags also?
Yes, the create tags permission is granted elsewhere. Tags are applied correctly when placed in the default VPC, which leads me to believe that's not the issue.
相关内容
- AWS 官方已更新 2 年前
This policy is exactly what I said. Just missing create tag. Resource is * basically.