堆棧內存溢出
  簡體   English   中英

私有子網上的 AWS EC2 實例出現問題,拒絕特定用戶訪問

[英]Issue with AWS EC2 instance on private subnet denied access for specific users

 原文  2022-12-12 07:06:28       amazon-web-services/ amazon-ec2/ amazon-iam

問題描述

我們實施以下 IAM 策略並將其附加到某些用戶組,以允許他們啟動 EC2 實例、創建 AMI 並從中啟動 AMI。

我們的新問題是這些用戶無法啟動私有 EC2 實例,但他們能夠在公共子網中啟動新實例。

policy ::

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:DescribeInstances",
                "ec2:Describe*",
                "ec2:CreateSnapshot",
                "ec2:CreateImage",
                "ec2:CreateKeyPair",
                "ec2:CreateTags",
                "ec2:RunInstances",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeImages",
                "ec2:StartInstances",
                "ec2:DescribeVpcs",
                "ec2:CreateSecurityGroup",
                "ec2:DescribeInstanceTypes",
                "ec2:DescribeSubnets",
                "ec2:DescribeKeyPairs"
            ],
            "Resource": "*"
        }
    ]
}

錯誤You are not authorized to perform this operation. Encoded authorization failure message: nYPzkz-yJvXNEUDaBE4_mLXT You are not authorized to perform this operation. Encoded authorization failure message: nYPzkz-yJvXNEUDaBE4_mLXT

"DecodedMessage": "{"allowed":false,"explicitDeny":false,"matchedStatements":{"items":[]},"failures":{"items":[]},"context":{"principal":{"id":"","name":"","arn":""},"action":"iam:PassRole","resource":"arn:aws:iam:::role/ABC-CDE-webserver","conditions":{"items":[{"key":"aws:Region","values":{"items":[{"value":"us-east-1"}]}},{"key":"aws:Service","values":{"items":[{"value":"ec2"}]}},{"key":"aws:Resource","values":{"items":[{"value":"role/ABC-CDE-webserver"}]}},{"key":"iam:RoleName","values":{"items":[{"value":"ABC-CDE-webserver"}]}},{"key":"aws:Type","values":{"items":[{"value":"role"}]}},{"key":"aws:Account","values":{"items":[{"value":""}]}},{"key":"aws:ARN","values":{"items":[{"value":"arn:aws:iam:::role/ABC-CDE-webserver"}]}}]}}}

我仍然無法弄清楚問題所在; 問題是什么? 此 IAM 策略是否需要更改任何內容

如有任何幫助,我將不勝感激。

1 個解決方案

解決方案1
 0  2022-12-16 10:16:58

此 IAM 策略更新通過允許 IAM 用戶創建 AMI 並從這些 AMI 啟動私有實例解決了我的問題。 此策略提供使用 AWS 控制台或 AWS CLI 完成此操作所需的權限。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:DescribeInstances",
                "ec2:DescribeImages",
                "ec2:DescribeKeyPairs",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeAvailabilityZones",
                "ec2:RunInstances",
                "ec2:Describe*",
                "ec2:CreateSnapshot",
                "ec2:ImportSnapshot",
                "ec2:DescribeSnapshots",
                "ec2:CopySnapshot",
                "ec2:CreateImage",
                "ec2:CreateKeyPair",
                "ec2:CreateTags",
                "ec2:RunInstances",
                "ec2:StartInstances",
                "ec2:DescribeVpcs",
                "ec2:CreateSecurityGroup",
                "ec2:DescribeInstanceTypes",
                "ec2:AssociateIamInstanceProfile",
                "ec2:DescribeSubnets"
                "ec2:DescribeIamInstanceProfileAssociations",
                "ec2:DescribeInstances"

            ],
            "Resource": "*"
        }
    ]
}

暫無
暫無

聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.

相關問題 AWS - SSH 在私有 Su.net 中從 ALB 跳轉到 EC2? 從 Bastion 到 Private ec2 的權限被拒絕 私有 DNS 無法解析 EC2 實例 AWS - vpc:從公有子網訪問私有子網 無法通過 SSH 連接到 AWS EC2 實例 終止 AWS EC2 實例失敗 - 實例仍在運行 如何限制 Amazon EC2 實例訪問? EC2 AWS 上的 Flask 用於自動啟動和停止 AWS EC2 實例的腳本 AWS EC2 Windows 10 無法訪問元數據
相關標簽
 
粵ICP備18138465號  © 2020-2024 STACKOOM.COM