Whether you're taking your first steps with Kubernetes or you're an experienced practitioner looking to sharpen your skills, our Amazon EKS workshop series delivers practical, real-world experience that moves you forward. Learn directly from AWS solutions architects and EKS specialists through hands-on sessions designed to build your confidence with Kubernetes. Register now and start building with Amazon EKS!
IAM 評估邏輯如何適用於具有多個條件金鑰的明確拒絕政策?
我想建立 AWS Identity and Access Management (IAM) 明確拒絕政策。此拒絕政策必須限制建立 Amazon Elastic Compute Cloud (Amazon EC2) 執行個體和 Amazon Elastic Block Store (Amazon EBS) 磁碟區。
簡短描述
使用 IAM 政策標籤來限制具有以下條件的 EC2 執行個體和 EBS 磁碟區的啟動:使用 StringLike 字串條件運算子的允許,或使用 StringNotLike 字串條件運算子的拒絕。
如需詳細資訊,請參閱如何使用 IAM 政策標籤來限制 EC2 執行個體或 EBS 磁碟區的建立方式?
解決方法
若要限制 EC2 執行個體與 EBS 磁碟區的建立,請使用下列範例 IAM 政策,該政策採用 StringNotLike 的拒絕。
注意:最佳做法是使用 StringNotLike 的拒絕,以防止意外的權限存取。
如果您的政策具有多個條件運算子,或將多個索引鍵附加至單一條件運算子,則會使用 AND 邏輯評估條件。使用拒絕多個標籤值時,每個 RequestTag 金鑰必須使用個別的陳述式,才能取得相同的 AND 邏輯。
注意:使用拒絕政策在一個條件下設定所有 RequestTag 金鑰值可能無法如預期般運作。這是因為在滿足所有條件之前允許執行此動作。在滿足所有條件後,會拒絕該動作。
以下是必要標籤:
- cost_center 標籤必須具有非空值。
- EC2 執行個體有一個名為 Production 的標籤金鑰。
- 識別碼標籤必須是任何五個字元的組合。
- env 標籤值必須是 sandbox、dev 或 prod.。
範例政策:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowToDescribeAll", "Effect": "Allow", "Action": [ "ec2:Describe*" ], "Resource": "*" }, { "Sid": "AllowRunInstances", "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:*::image/*", "arn:aws:ec2:*::snapshot/*", "arn:aws:ec2:*:*:subnet/*", "arn:aws:ec2:*:*:network-interface/*", "arn:aws:ec2:*:*:security-group/*", "arn:aws:ec2:*:*:key-pair/*" ] }, { "Sid": "AllowRunInstancesWithRestrictions1", "Effect": "Deny", "Action": [ "ec2:CreateVolume", "ec2:RunInstances" ], "Resource": [ "arn:aws:ec2:*:*:volume/*", "arn:aws:ec2:*:*:instance/*" ], "Condition": { "StringNotLike": { "aws:RequestTag/cost_center": "?*" } } }, { "Sid": "AllowRunInstancesWithRestrictions2", "Effect": "Deny", "Action": [ "ec2:CreateVolume", "ec2:RunInstances" ], "Resource": [ "arn:aws:ec2:*:*:volume/*", "arn:aws:ec2:*:*:instance/*" ], "Condition": { "ForAllValues:StringNotLike": { "aws:TagKeys": "Production" } } }, { "Sid": "AllowRunInstancesWithRestrictions3", "Effect": "Deny", "Action": [ "ec2:CreateVolume", "ec2:RunInstances" ], "Resource": [ "arn:aws:ec2:*:*:volume/*", "arn:aws:ec2:*:*:instance/*" ], "Condition": { "StringNotLike": { "aws:RequestTag/identifier": "?????" } } }, { "Sid": "AllowRunInstancesWithRestrictions4", "Effect": "Deny", "Action": [ "ec2:CreateVolume", "ec2:RunInstances" ], "Resource": [ "arn:aws:ec2:*:*:volume/*", "arn:aws:ec2:*:*:instance/*" ], "Condition": { "StringNotLike": { "aws:RequestTag/env": [ "sandbox", "dev", "prod" ] } } }, { "Sid": "AllowRunInstances1", "Effect": "Allow", "Action": [ "ec2:CreateVolume", "ec2:RunInstances" ], "Resource": [ "arn:aws:ec2:*:*:volume/*", "arn:aws:ec2:*:*:instance/*" ] }, { "Sid": "AllowCreateTagsOnRunInstance", "Effect": "Allow", "Action": "ec2:CreateTags", "Resource": "*", "Condition": { "StringEquals": { "ec2:CreateAction": "RunInstances" } } } ] }
請注意下列強制值:
- aws:TagKeys 值會強制執行 Production 區分大小寫。
- ????? 值強制使用任意五個值的組合。忽略開頭或結尾的空格。
- ?* 值強制在值欄位中使用至少一個字元,以便 EC2 執行個體無法以空標籤值啟動。
相關資訊
相關內容
- 已提問 1 年前
- 已提問 3 年前
