[英]Issue with AWS EC2 instance on private subnet denied access for specific users
我們實施以下 IAM 策略並將其附加到某些用戶組,以允許他們啟動 EC2 實例、創建 AMI 並從中啟動 AMI。
我們的新問題是這些用戶無法啟動私有 EC2 實例,但他們能夠在公共子網中啟動新實例。
policy ::
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:DescribeInstances",
"ec2:Describe*",
"ec2:CreateSnapshot",
"ec2:CreateImage",
"ec2:CreateKeyPair",
"ec2:CreateTags",
"ec2:RunInstances",
"ec2:DescribeSecurityGroups",
"ec2:DescribeImages",
"ec2:StartInstances",
"ec2:DescribeVpcs",
"ec2:CreateSecurityGroup",
"ec2:DescribeInstanceTypes",
"ec2:DescribeSubnets",
"ec2:DescribeKeyPairs"
],
"Resource": "*"
}
]
}
錯誤: You are not authorized to perform this operation. Encoded authorization failure message: nYPzkz-yJvXNEUDaBE4_mLXT
You are not authorized to perform this operation. Encoded authorization failure message: nYPzkz-yJvXNEUDaBE4_mLXT
"DecodedMessage": "{"allowed":false,"explicitDeny":false,"matchedStatements":{"items":[]},"failures":{"items":[]},"context":{"principal":{"id":"","name":"","arn":""},"action":"iam:PassRole","resource":"arn:aws:iam:::role/ABC-CDE-webserver","conditions":{"items":[{"key":"aws:Region","values":{"items":[{"value":"us-east-1"}]}},{"key":"aws:Service","values":{"items":[{"value":"ec2"}]}},{"key":"aws:Resource","values":{"items":[{"value":"role/ABC-CDE-webserver"}]}},{"key":"iam:RoleName","values":{"items":[{"value":"ABC-CDE-webserver"}]}},{"key":"aws:Type","values":{"items":[{"value":"role"}]}},{"key":"aws:Account","values":{"items":[{"value":""}]}},{"key":"aws:ARN","values":{"items":[{"value":"arn:aws:iam:::role/ABC-CDE-webserver"}]}}]}}}
我仍然無法弄清楚問題所在; 問題是什么? 此 IAM 策略是否需要更改任何內容
如有任何幫助,我將不勝感激。
此 IAM 策略更新通過允許 IAM 用戶創建 AMI 並從這些 AMI 啟動私有實例解決了我的問題。 此策略提供使用 AWS 控制台或 AWS CLI 完成此操作所需的權限。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:DescribeInstances",
"ec2:DescribeImages",
"ec2:DescribeKeyPairs",
"ec2:DescribeSecurityGroups",
"ec2:DescribeAvailabilityZones",
"ec2:RunInstances",
"ec2:Describe*",
"ec2:CreateSnapshot",
"ec2:ImportSnapshot",
"ec2:DescribeSnapshots",
"ec2:CopySnapshot",
"ec2:CreateImage",
"ec2:CreateKeyPair",
"ec2:CreateTags",
"ec2:RunInstances",
"ec2:StartInstances",
"ec2:DescribeVpcs",
"ec2:CreateSecurityGroup",
"ec2:DescribeInstanceTypes",
"ec2:AssociateIamInstanceProfile",
"ec2:DescribeSubnets"
"ec2:DescribeIamInstanceProfileAssociations",
"ec2:DescribeInstances"
],
"Resource": "*"
}
]
}
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.