AWS SCP 执行标签策略失败
[英]AWS SCP to enforce Tag Policy fails
问题描述
因此,我关注此 AWS 博客以在整个 AWS 组织中实施标记策略。 我确实创建了标签策略和 SCP,并将它们附加到 OU。 标签政策
{
"tags": {
"costcenter": {
"tag_key": {
"@@assign": "costcenter"
},
"tag_value": {
"@@assign": [
"CC102",
"CC103",
"CC104"
]
},
"enforced_for": {
"@@assign": [
"ec2:instance"
]
}
},
"team": {
"tag_key": {
"@@assign": "team"
},
"tag_value": {
"@@assign": [
"Team1",
"Team2",
"Team3"
]
},
"enforced_for": {
"@@assign": [
"ec2:instance"
]
}
}
}
}
SCP
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyEC2CreationSCP1",
"Effect": "Deny",
"Action": [
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*"
],
"Condition": {
"Null": {
"aws:RequestTag/costcenter": "true"
}
}
},
{
"Sid": "Statement1",
"Effect": "Deny",
"Action": [
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*"
],
"Condition": {
"Null": {
"aws:RequestTag/team": "true"
}
}
}
]
}
当我尝试启动带有不合规标签的 EC2 时,我收到未授权错误以及有关违反标签策略的明确消息
但即使我遵守政策,我也会收到未经授权的消息
这是解码后的消息
{
"DecodedMessage": "{\"allowed\":false,\"explicitDeny\":true,\"matchedStatements\":{\"items\":[{\"statementId\":\"DenyEC2CreationSCP1\",\"effect\":\"DENY\",\"principals\":{\"items\":[{\"value\":\"AROAY4Z6JOQ4EEGF437YJ\"}]},\"principalGroups\":{\"items\":[]},\"actions\":{\"items\":[{\"value\":\"ec2:RunInstances\"}]},\"resources\":{\"items\":[{\"value\":\"arn:aws:ec2:*:*:instance/*\"},{\"value\":\"arn:aws:ec2:*:*:volume/*\"}]},\"conditions\":{\"items\":[{\"key\":\"aws:RequestTag/costcenter\",\"values\":{\"items\":[{\"value\":\"true\"}]}}]}},{\"statementId\":\"Statement1\",\"effect\":\"DENY\",\"principals\":{\"items\":[{\"value\":\"AROAY4Z6JOQ4EEGF437YJ\"}]},\"principalGroups\":{\"items\":[]},\"actions\":{\"items\":[{\"value\":\"ec2:RunInstances\"}]},\"resources\":{\"items\":[{\"value\":\"arn:aws:ec2:*:*:instance/*\"},{\"value\":\"arn:aws:ec2:*:*:volume/*\"}]},\"conditions\":{\"items\":[{\"key\":\"aws:RequestTag/team\",\"values\":{\"items\":[{\"value\":\"true\"}]}}]}},{\"statementId\":\"DenyEC2CreationSCP1\",\"effect\":\"DENY\",\"principals\":{\"items\":[{\"value\":\"AROAY4Z6JOQ4EEGF437YJ\"}]},\"principalGroups\":{\"items\":[]},\"actions\":{\"items\":[{\"value\":\"ec2:RunInstances\"}]},\"resources\":{\"items\":[{\"value\":\"arn:aws:ec2:*:*:instance/*\"},{\"value\":\"arn:aws:ec2:*:*:volume/*\"}]},\"conditions\":{\"items\":[{\"key\":\"aws:RequestTag/costcenter\",\"values\":{\"items\":[{\"value\":\"true\"}]}}]}},{\"statementId\":\"Statement1\",\"effect\":\"DENY\",\"principals\":{\"items\":[{\"value\":\"AROAY4Z6JOQ4EEGF437YJ\"}]},\"principalGroups\":{\"items\":[]},\"actions\":{\"items\":[{\"value\":\"ec2:RunInstances\"}]},\"resources\":{\"items\":[{\"value\":\"arn:aws:ec2:*:*:instance/*\"},{\"value\":\"arn:aws:ec2:*:*:volume/*\"}]},\"conditions\":{\"items\":[{\"key\":\"aws:RequestTag/team\",\"values\":{\"items\":[{\"value\":\"true\"}]}}]}}]},\"failures\":{\"items\":[]},\"context\":{\"principal\":{\"id\":\"AROAY4Z6JOQ4EEGF437YJ:nejla\",\"arn\":\"arn:aws:sts::611626611768:assumed-role/OrganizationAccountAccessRole/nejla\"},\"action\":\"ec2:RunInstances\",\"resource\":\"arn:aws:ec2:us-east-1:611626611768:volume/*\",\"conditions\":{\"items\":[{\"key\":\"aws:Resource\",\"values\":{\"items\":[{\"value\":\"volume/*\"}]}},{\"key\":\"aws:Account\",\"values\":{\"items\":[{\"value\":\"611626611768\"}]}},{\"key\":\"ec2:AvailabilityZone\",\"values\":{\"items\":[{\"value\":\"us-east-1e\"}]}},{\"key\":\"ec2:Encrypted\",\"values\":{\"items\":[{\"value\":\"false\"}]}},{\"key\":\"ec2:VolumeType\",\"values\":{\"items\":[{\"value\":\"gp2\"}]}},{\"key\":\"ec2:IsLaunchTemplateResource\",\"values\":{\"items\":[{\"value\":\"false\"}]}},{\"key\":\"aws:Region\",\"values\":{\"items\":[{\"value\":\"us-east-1\"}]}},{\"key\":\"aws:Service\",\"values\":{\"items\":[{\"value\":\"ec2\"}]}},{\"key\":\"ec2:VolumeID\",\"values\":{\"items\":[{\"value\":\"*\"}]}},{\"key\":\"ec2:VolumeSize\",\"values\":{\"items\":[{\"value\":\"8\"}]}},{\"key\":\"ec2:ParentSnapshot\",\"values\":{\"items\":[{\"value\":\"arn:aws:ec2:us-east-1::snapshot/snap-0c371a5504a01769d\"}]}},{\"key\":\"aws:Type\",\"values\":{\"items\":[{\"value\":\"volume\"}]}},{\"key\":\"ec2:Region\",\"values\":{\"items\":[{\"value\":\"us-east-1\"}]}},{\"key\":\"aws:ARN\",\"values\":{\"items\":[{\"value\":\"arn:aws:ec2:us-east-1:611626611768:volume/*\"}]}}]}}}"
}
1 个解决方案
解决方案1
0 2023-01-27 18:28:28
解码后的消息清楚地表明您的 SCP 政策明确拒绝。 (您应该屏蔽您的 AWS 账户 ID)
{
"allowed": false,
"explicitDeny": true,
"matchedStatements": {
"items": [
{
"statementId": "DenyEC2CreationSCP1",
"effect": "DENY",
"principals": {
"items": [
{
"value": "AROAY4Z6JOQ4EEGF437YJ"
}
]
},
"principalGroups": {
"items": []
},
"actions": {
"items": [
{
"value": "ec2:RunInstances"
}
]
},
"resources": {
"items": [
{
"value": "arn:aws:ec2:*:*:instance/*"
},
{
"value": "arn:aws:ec2:*:*:volume/*"
}
]
},
"conditions": {
"items": [
{
"key": "aws:RequestTag/costcenter",
"values": {
"items": [
{
"value": "true"
}
]
}
}
]
}
},
{
"statementId": "Statement1",
"effect": "DENY",
"principals": {
"items": [
{
"value": "AROAY4Z6JOQ4EEGF437YJ"
}
]
},
"principalGroups": {
"items": []
},
"actions": {
"items": [
{
"value": "ec2:RunInstances"
}
]
},
"resources": {
"items": [
{
"value": "arn:aws:ec2:*:*:instance/*"
},
{
"value": "arn:aws:ec2:*:*:volume/*"
}
]
},
"conditions": {
"items": [
{
"key": "aws:RequestTag/team",
"values": {
"items": [
{
"value": "true"
}
]
}
}
]
}
},
{
"statementId": "DenyEC2CreationSCP1",
"effect": "DENY",
"principals": {
"items": [
{
"value": "AROAY4Z6JOQ4EEGF437YJ"
}
]
},
"principalGroups": {
"items": []
},
"actions": {
"items": [
{
"value": "ec2:RunInstances"
}
]
},
"resources": {
"items": [
{
"value": "arn:aws:ec2:*:*:instance/*"
},
{
"value": "arn:aws:ec2:*:*:volume/*"
}
]
},
"conditions": {
"items": [
{
"key": "aws:RequestTag/costcenter",
"values": {
"items": [
{
"value": "true"
}
]
}
}
]
}
},
{
"statementId": "Statement1",
"effect": "DENY",
"principals": {
"items": [
{
"value": "AROAY4Z6JOQ4EEGF437YJ"
}
]
},
"principalGroups": {
"items": []
},
"actions": {
"items": [
{
"value": "ec2:RunInstances"
}
]
},
"resources": {
"items": [
{
"value": "arn:aws:ec2:*:*:instance/*"
},
{
"value": "arn:aws:ec2:*:*:volume/*"
}
]
},
"conditions": {
"items": [
{
"key": "aws:RequestTag/team",
"values": {
"items": [
{
"value": "true"
}
]
}
}
]
}
}
]
},
"failures": {
"items": []
},
"context": {
"principal": {
"id": "AROAY4Z6JOQ4EEGF437YJ:nejla",
"arn": "arn:aws:sts::123456789:assumed-role/OrganizationAccountAccessRole/nejla"
},
"action": "ec2:RunInstances",
"resource": "arn:aws:ec2:us-east-1:123456789:volume/*",
"conditions": {
"items": [
{
"key": "aws:Resource",
"values": {
"items": [
{
"value": "volume/*"
}
]
}
},
{
"key": "aws:Account",
"values": {
"items": [
{
"value": "123456789"
}
]
}
},
{
"key": "ec2:AvailabilityZone",
"values": {
"items": [
{
"value": "us-east-1e"
}
]
}
},
{
"key": "ec2:Encrypted",
"values": {
"items": [
{
"value": "false"
}
]
}
},
{
"key": "ec2:VolumeType",
"values": {
"items": [
{
"value": "gp2"
}
]
}
},
{
"key": "ec2:IsLaunchTemplateResource",
"values": {
"items": [
{
"value": "false"
}
]
}
},
{
"key": "aws:Region",
"values": {
"items": [
{
"value": "us-east-1"
}
]
}
},
{
"key": "aws:Service",
"values": {
"items": [
{
"value": "ec2"
}
]
}
},
{
"key": "ec2:VolumeID",
"values": {
"items": [
{
"value": "*"
}
]
}
},
{
"key": "ec2:VolumeSize",
"values": {
"items": [
{
"value": "8"
}
]
}
},
{
"key": "ec2:ParentSnapshot",
"values": {
"items": [
{
"value": "arn:aws:ec2:us-east-1::snapshot/snap-0c371a5504a01769d"
}
]
}
},
{
"key": "aws:Type",
"values": {
"items": [
{
"value": "volume"
}
]
}
},
{
"key": "ec2:Region",
"values": {
"items": [
{
"value": "us-east-1"
}
]
}
},
{
"key": "aws:ARN",
"values": {
"items": [
{
"value": "arn:aws:ec2:us-east-1:123456789:volume/*"
}
]
}
}
]
}
}
}
请确保您在正确的条件下使用政策,如果政策中有任何明确拒绝,它始终具有高优先级。
如何编写 AWS IAM 策略以在不启用 AWS cli MFA 的情况下实施 MFA
[英]How to write an AWS IAM policy to enforce MFA without enabling AWS cli MFA
我们如何限制用户使用 AWS 标签策略中的特定日期格式?
[英]How can we restrict the user to a specific date format in the AWS tag policy?
当驱动器策略需要传输中加密时,EFS 驱动器的 AWS 安装失败
[英]AWS mount of EFS drive fails when drive policy requires encryption in transit
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.