I have created a policy which allows users to do all ec2 actions but restricts user to runinstances and createvolumes and terminate instances only when they pass the given tag key-values pairs with a explicit deny.
ec2 full permissions policy
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "ec2:*", "Resource": "*" } ] }ec2 run instance and create volumes explicit deny with conditions.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Deny", "Action": [ "ec2:RunInstances", "ec2:CreateVolume" ], "Resource": [ "arn:aws:ec2:*:*:instance/*", "arn:aws:ec2:*:*:volume/*" ], "Condition": { "ForAllValues:StringNotEquals": { "aws:TagKeys": "Name", "aws:RequestTag/Name": "${aws:username}" } } }, { "Sid": "VisualEditor1", "Effect": "Deny", "Action": "ec2:CreateTags", "Resource": [ "arn:aws:ec2:*:*:instance/*", "arn:aws:ec2:*:*:volume/*" ], "Condition": { "ForAllValues:StringNotEquals": { "aws:RequestTag/Name": "${aws:username}" }, "StringNotEquals": { "ec2:CreateAction": "RunInstances", "aws:TagKeys": "Name" } } }, { "Sid": "VisualEditor2", "Effect": "Deny", "Action": [ "ec2:DeleteVolume", "ec2:TerminateInstances" ], "Resource": [ "arn:aws:ec2:*:*:instance/*", "arn:aws:ec2:*:*:volume/*" ], "Condition": { "ForAllValues:StringNotEquals": { "ec2:ResourceTag/Name": "${aws:username}" } } } ] }
My requirement is to restrict user to give all ec2 permissions and restrict to runinstances only when pass tag key "Name" and tag value as "their aws user name". but when this policy is applied to a user, it is restricting them to run only when they pass tagkey "Name", but its not restricting with tagvalue "their aws user name ${aws:username}". but the same restriction is working properly when the user is trying to terminate instances i.e user is unable to terminate instances with tagkey "Name" and tag value "their aws user name ${aws:username}"
what could be the error in policy, that is allowing user to runinstances with tagkey "Name" and any value for tagValue, even null is also allowing
You can use the below IAM Policy and edit as per your liking. I use this in production and works flawlessly. It will only launch instances if they are tagged with values present in the list.:
Here, Key = Environment, Value = mentioned below
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "TheseActionsDontSupportResourceLevelPermissions",
"Effect": "Allow",
"Action": [
"ec2:Describe*"
],
"Resource": "*"
},
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:*::image/ami-*",
"arn:aws:ec2:*:ACCOUNT_ID:volume/*",
"arn:aws:ec2:*:ACCOUNT_ID:subnet/*",
"arn:aws:ec2:*:ACCOUNT_ID:network-interface/*",
"arn:aws:ec2:*:ACCOUNT_ID:security-group/*",
"arn:aws:ec2:*:ACCOUNT_ID:key-pair/*"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:*:ACCOUNT_ID:instance/*",
"Condition": {
"StringNotLike": {
"aws:RequestTag/Environment": [
"Testing",
"Staging",
"Production",
"Nightly",
"Sandbox",
"LoadTesting"
]
}
}
}
]
}
It is not working because the following block is implementing a logical OR. So, the instance will be launched if any of the condition is met. You have to create a logical AND by separating the condition keys in two different blocks as mentioned here.
"Condition": {
"ForAllValues:StringNotEquals": {
"aws:TagKeys": "Name",
"aws:RequestTag/Name": "${aws:username}"
}
}
来源:https://stackoverflow.com/questions/51929870/explicit-deny-for-user-to-runinstances-in-aws-when-not-using-specific-tag-keyval