IAM策略未启动

Question

我已将下面的自定义IAM作为内联策略附加到IAM用户，但是当我尝试通过用户登录启动EC2实例时，它不工作。我的要求是允许用户只启动t2 .micro实例。

{ 
    "Version": "2012-10-17", 
    "Statement": [ 
     { 
      "Effect": "Allow", 
      "Action": [ 
       "ec2:DescribeInstances", 
       "ec2:DescribeImages", 
       "ec2:DescribeKeyPairs", 
       "ec2:DescribeVpcs", 
       "ec2:DescribeSubnets", 
       "ec2:DescribeSecurityGroups" 
      ], 
      "Resource": "*" 
     }, 
     { 
      "Effect": "Allow", 
      "Action": "ec2:RunInstances", 
      "Resource": [ 
       "arn:aws:ec2:us-east-1:xxxxxxxxx:network-interface/*", 
       "arn:aws:ec2:us-east-1: xxxxxxxxx:volume/*", 
       "arn:aws:ec2:us-east-1: xxxxxxxxx:key-pair/*", 
       "arn:aws:ec2:us-east-1: xxxxxxxxx:security-group/*", 
       "arn:aws:ec2:us-east-1: xxxxxxxxx:subnet/*" 
      ] 
     }, 
     { 
      "Effect": "Allow", 
      "Action": "ec2:RunInstances", 
      "Resource": [ 
       "arn:aws:ec2:us-east-1: xxxxxxxxx:instance/*" 
      ], 
      "Condition": { 
       "StringEquals": { 
        "ec2:InstanceType": "t2.micro" 
       } 
      } 
     } 
    ] 
} 

任何猜测可能是什么问题？

Answer 1

我认为你们的政策缺乏如下：

"arn:aws:ec2:us-east-1::image/ami-*" 

或者，您可以定义一个特定的形象：

"arn:aws:ec2:us-east-1::image/ami-xxxxxxxx" 

Answer 2

而不是限制允许，你可以允许ec2:*但增加了这个方针， 否认除了t2.micro之外的任何东西：

{ 
    "Action": [ 
    "ec2:RunInstances" 
    ], 
    "Effect": "Deny", 
    "Resource": "arn:aws:ec2:*:*:instance/*", 
    "Condition": { 
    "StringNotEquals": { 
     "ec2:InstanceType": [ 
     "t2.micro" 
     ] 
    } 
    } 
}, 

但是，要小心，因为有人可以启动t2.micro，停止它，修改实例类型，然后重新启动它！

为了防止这种情况，你可以添加：

{ 
    "Action": [ 
    "ec2:ModifyInstanceAttribute" 
    ], 
    "Effect": "Deny", 
    "Resource": "*" 
},