我正在尝试缩小运行预定义机器映像的最小策略范围。该映像基于两个快照,我只想启动“m1.medium”实例类型。
在此基础上并在以下方面的帮助下这一页 http://docs.aws.amazon.com/AWSEC2/latest/APIReference/ec2-api-permissions.html and 本文 http://aws.typepad.com/aws/2013/11/amazon-ec2-resource-level-permissions-for-runinstances.html,我制定了以下政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1385026304010",
"Effect": "Allow",
"Action": [
"ec2:RunInstances"
],
"Condition": {
"StringEquals": {
"ec2:InstanceType": "m1.medium"
}
},
"Resource": [
"arn:aws:ec2:us-east-1::instance/*",
"arn:aws:ec2:us-east-1::image/ami-f1c3e498",
"arn:aws:ec2:us-east-1::snapshot/snap-e2f51ffa",
"arn:aws:ec2:us-east-1::snapshot/snap-18ca2000",
"arn:aws:ec2:us-east-1::key-pair/shenton",
"arn:aws:ec2:us-east-1::security-group/sg-6af56d02",
"arn:aws:ec2:us-east-1::volume/*"
]
}
]
}
该策略缩小了确切的映像、快照、安全组和密钥对的范围,同时保持特定实例和卷的开放。
我正在使用 CLI 工具,如下所述here http://docs.aws.amazon.com/cli/latest/reference/ec2/run-instances.html:
aws ec2 run-instances --dry-run \
--image-id ami-f1c3e498 \
--key-name shenton \
--security-group-ids sg-6af56d02 \
--instance-type m1.medium
The ~/.aws/config
如下:
[default]
output = json
region = us-east-1
aws_access_key_id = ...
aws_secret_access_key = ...
该命令产生一个通用的结果You are not authorized to perform this operation
消息和编码的授权失败消息表明我的语句都不匹配,因此它拒绝该操作。
更改为"Resource": "*"
显然解决了这个问题,但我想获得更多关于为什么上述不起作用的理解。我完全意识到这涉及一定程度的猜测工作,所以我欢迎任何想法。