- 最新
- 投票最多
- 评论最多
You could put conditions on user IAM roles to prevent specific AMIs, but there isn't a mechanism to prevent a certain OS in general.
Thanks, I actually got it working by creating two separate policies and when scoping with two default policies that allow other EC2 instances gave me the intended results of denying any AMI containing CentOS but still allowing any other AMI image from being deployed.
The first policy below I created denies all CentOS by searching for an attribute that contains any wording that contains centos.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"cloudwatch:*",
"elasticloadbalancing:*",
"autoscaling:*"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": [
"autoscaling.amazonaws.com",
"ec2scheduled.amazonaws.com",
"elasticloadbalancing.amazonaws.com",
"spot.amazonaws.com",
"spotfleet.amazonaws.com",
"transitgateway.amazonaws.com"
]
}
}
},
{
"Sid": "VisualEditor2",
"Effect": "Deny",
"Action": "ec2:*",
"Resource": "*",
"Condition": {
"StringEqualsIgnoreCase": {
"ec2:ImageID": "ami-002070d43b0a4f171"
},
"ForAnyValue:StringLike": {
"ec2:Attribute/Condition": [
"Linux/Unix",
"CentOS*"
]
}
}
}
]
}
Then the second policy I created denies marketplace instances from being launched except ones that I own or from Amazon:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyMarketPlaceAMIAccess",
"Effect": "Deny",
"Action": [
"ec2:RunScheduledInstances",
"ec2:RunInstances"
],
"Resource": "arn:aws:ec2:*::image/ami-*",
"Condition": {
"StringNotEquals": {
"ec2:Owner": [
"amazon",
"self"
]
}
}
}
]
}
Once these two are created I scoped these two policies as well as the two native policies to allow other EC2 instances from being launched.
- AmazonEC2FullAccess
- AWSCloudShellFullAccess
- Custom policy 1
- Custom policy 2
Example:
相关内容
AWS 官方已更新 1 年前
