3 個答案
- 最新
- 最多得票
- 最多評論
1
Yes, it could be used to control the use of EC2 instances:
{
"Sid": "",
"Effect": "Deny",
"Action": [
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*"
],
"Condition": {
"StringNotEquals": {
"ec2:InstanceType": [
"c5.large"
]
},
"ForAllValues:StringNotLike": {
"aws:PrincipalOrgPaths": [
"o-a1234bcd/r-abc1/ou-123-xyz789/*"
]
}
}
}
This policy denies the use of c5.large instances in anything other than the specified OU.
已回答 2 年前
1
Hey - Principal Org Paths can be used to target specific OUs.
You can set a condition and use StringLike
or StringNotLike
to apply or exempt the policy from specific OUs.
"Condition": {
"ForAllValues:StringNotLike": {
"aws:PrincipalOrgPaths": [
"o-a1234bcd/r-abc1/ou-123-xyz789/*"
]
}
}
The above condition means that the policy would not apply to that specific OU.
已回答 2 年前
Thank you!!!
Could it be used to restrict specific instances (EC2) to prod/dev OUs?
0
Take a look at this blog post- How to control access to AWS resources based on AWS account, OU, or organization.
已回答 2 年前
相關內容
- 已提問 1 年前
- 已提問 1 年前
- AWS 官方已更新 1 年前
- AWS 官方已更新 2 年前
- AWS 官方已更新 7 個月前
- AWS 官方已更新 7 個月前
Thank you!!