一千萬個為什麽

搜索

阻止IAM用戶覆蓋RunInstance上的啟動模板參數



我正在嘗試設置一個允許用戶運行實例的IAM策略( ec2:RunInstances ),但只能從特定的啟動模板 - 運行而不進行任何操作更改該啟動模板的參數。

我的政策的相關部分如下所示:

{
  "Effect": "Allow",
  "Action": "ec2:RunInstances",
  "Resource": "*",
  "Condition": {
    "ArnLike": {
      "ec2:LaunchTemplate": "arn:aws:ec2:ap-southeast-2:xxxxxxx:launch-template/lt-xxxxxxx"
    },
  }
}

這很好用。使用用戶憑據運行以下命令:

aws ec2 run-instances --launch-template LaunchTemplateName=test

...並指定其他啟動模板失敗。到現在為止還挺好。

但是,用戶可以覆蓋啟動模板中的值,並且幾乎可以做任何他們喜歡的事情:

aws ec2 run-instances --launch-template LaunchTemplateName=test --instance-type t2.micro

盡管我在啟動模板中將實例類型設置為 t2.nano

The documentation has a solution for this: require the ec2:IsLaunchTemplateResource condition to be "true", which apparently only is so if the user has not overridden the launch template.

完美 - 正是我追求的!我的IAM策略中的Condition語句現在看起來像這樣:

  "Condition": {
    "ArnLike": {
      "ec2:LaunchTemplate": "arn:aws:ec2:ap-southeast-2:xxxxxxx:launch-template/lt-xxxxxxx"
    },
    "Bool": {
      "ec2:IsLaunchTemplateResource": "true"
    }
  }

但是,如果存在此附加條件,即使用戶未進行任何更改, RunInstances 調用也會失敗解碼授權失敗消息之後,我可以看到AWS正在報告 ec2:IsLaunchTemplateResource 不是“true”

{
  "key": "ec2:IsLaunchTemplateResource",
  "values": {
    "items": [
      {
        "value": "false"
      }
    ]
  }
}

EDIT: After posting this, I continued to iterate, and noticed that the specific resource that was hitting up against this issue was the subnet - which wasn't defined in the launch template. Taking cues from additional examples in the documentation I linked to, I tried adding another statement to allow the subnet resource even without ec2:IsLaunchTemplateResource being true, and this worked. I also tried, alternatively, explicitly defining the subnet in the launch template: this worked too.

However, now I am not getting access denied even when changing the instance type! So it appears that it was the subnet all along that was triggering the original denial. While I've sort of taken a step forward, the symptom of the issue has now flipped from what I was initially experiencing... and now although the user can launch, they can also launch instances I don't want them to. So my initial question below still remains. :)


所以,我的問題是......我做錯了什麽嗎? ec2:IsLaunchTemplateResource 是否以我理解的方式工作(我認為在文檔中相當清楚)?

或者,是否有另一種方法可以允許IAM用戶根據模板啟動實例,同時防止他們進行更改(例如選擇超級昂貴的實例類型)?

轉載註明原文: 阻止IAM用戶覆蓋RunInstance上的啟動模板參數

一共有 0 個回答: