[英]AWS SCP to enforce Tag Policy fails
因此,我關注此 AWS 博客以在整個 AWS 組織中實施標記策略。 我確實創建了標簽策略和 SCP,並將它們附加到 OU。 標簽政策
{
"tags": {
"costcenter": {
"tag_key": {
"@@assign": "costcenter"
},
"tag_value": {
"@@assign": [
"CC102",
"CC103",
"CC104"
]
},
"enforced_for": {
"@@assign": [
"ec2:instance"
]
}
},
"team": {
"tag_key": {
"@@assign": "team"
},
"tag_value": {
"@@assign": [
"Team1",
"Team2",
"Team3"
]
},
"enforced_for": {
"@@assign": [
"ec2:instance"
]
}
}
}
}
SCP
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyEC2CreationSCP1",
"Effect": "Deny",
"Action": [
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*"
],
"Condition": {
"Null": {
"aws:RequestTag/costcenter": "true"
}
}
},
{
"Sid": "Statement1",
"Effect": "Deny",
"Action": [
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*"
],
"Condition": {
"Null": {
"aws:RequestTag/team": "true"
}
}
}
]
}
當我嘗試啟動帶有不合規標簽的 EC2 時,我收到未授權錯誤以及有關違反標簽策略的明確消息
但即使我遵守政策,我也會收到未經授權的消息
這是解碼后的消息
{
"DecodedMessage": "{\"allowed\":false,\"explicitDeny\":true,\"matchedStatements\":{\"items\":[{\"statementId\":\"DenyEC2CreationSCP1\",\"effect\":\"DENY\",\"principals\":{\"items\":[{\"value\":\"AROAY4Z6JOQ4EEGF437YJ\"}]},\"principalGroups\":{\"items\":[]},\"actions\":{\"items\":[{\"value\":\"ec2:RunInstances\"}]},\"resources\":{\"items\":[{\"value\":\"arn:aws:ec2:*:*:instance/*\"},{\"value\":\"arn:aws:ec2:*:*:volume/*\"}]},\"conditions\":{\"items\":[{\"key\":\"aws:RequestTag/costcenter\",\"values\":{\"items\":[{\"value\":\"true\"}]}}]}},{\"statementId\":\"Statement1\",\"effect\":\"DENY\",\"principals\":{\"items\":[{\"value\":\"AROAY4Z6JOQ4EEGF437YJ\"}]},\"principalGroups\":{\"items\":[]},\"actions\":{\"items\":[{\"value\":\"ec2:RunInstances\"}]},\"resources\":{\"items\":[{\"value\":\"arn:aws:ec2:*:*:instance/*\"},{\"value\":\"arn:aws:ec2:*:*:volume/*\"}]},\"conditions\":{\"items\":[{\"key\":\"aws:RequestTag/team\",\"values\":{\"items\":[{\"value\":\"true\"}]}}]}},{\"statementId\":\"DenyEC2CreationSCP1\",\"effect\":\"DENY\",\"principals\":{\"items\":[{\"value\":\"AROAY4Z6JOQ4EEGF437YJ\"}]},\"principalGroups\":{\"items\":[]},\"actions\":{\"items\":[{\"value\":\"ec2:RunInstances\"}]},\"resources\":{\"items\":[{\"value\":\"arn:aws:ec2:*:*:instance/*\"},{\"value\":\"arn:aws:ec2:*:*:volume/*\"}]},\"conditions\":{\"items\":[{\"key\":\"aws:RequestTag/costcenter\",\"values\":{\"items\":[{\"value\":\"true\"}]}}]}},{\"statementId\":\"Statement1\",\"effect\":\"DENY\",\"principals\":{\"items\":[{\"value\":\"AROAY4Z6JOQ4EEGF437YJ\"}]},\"principalGroups\":{\"items\":[]},\"actions\":{\"items\":[{\"value\":\"ec2:RunInstances\"}]},\"resources\":{\"items\":[{\"value\":\"arn:aws:ec2:*:*:instance/*\"},{\"value\":\"arn:aws:ec2:*:*:volume/*\"}]},\"conditions\":{\"items\":[{\"key\":\"aws:RequestTag/team\",\"values\":{\"items\":[{\"value\":\"true\"}]}}]}}]},\"failures\":{\"items\":[]},\"context\":{\"principal\":{\"id\":\"AROAY4Z6JOQ4EEGF437YJ:nejla\",\"arn\":\"arn:aws:sts::611626611768:assumed-role/OrganizationAccountAccessRole/nejla\"},\"action\":\"ec2:RunInstances\",\"resource\":\"arn:aws:ec2:us-east-1:611626611768:volume/*\",\"conditions\":{\"items\":[{\"key\":\"aws:Resource\",\"values\":{\"items\":[{\"value\":\"volume/*\"}]}},{\"key\":\"aws:Account\",\"values\":{\"items\":[{\"value\":\"611626611768\"}]}},{\"key\":\"ec2:AvailabilityZone\",\"values\":{\"items\":[{\"value\":\"us-east-1e\"}]}},{\"key\":\"ec2:Encrypted\",\"values\":{\"items\":[{\"value\":\"false\"}]}},{\"key\":\"ec2:VolumeType\",\"values\":{\"items\":[{\"value\":\"gp2\"}]}},{\"key\":\"ec2:IsLaunchTemplateResource\",\"values\":{\"items\":[{\"value\":\"false\"}]}},{\"key\":\"aws:Region\",\"values\":{\"items\":[{\"value\":\"us-east-1\"}]}},{\"key\":\"aws:Service\",\"values\":{\"items\":[{\"value\":\"ec2\"}]}},{\"key\":\"ec2:VolumeID\",\"values\":{\"items\":[{\"value\":\"*\"}]}},{\"key\":\"ec2:VolumeSize\",\"values\":{\"items\":[{\"value\":\"8\"}]}},{\"key\":\"ec2:ParentSnapshot\",\"values\":{\"items\":[{\"value\":\"arn:aws:ec2:us-east-1::snapshot/snap-0c371a5504a01769d\"}]}},{\"key\":\"aws:Type\",\"values\":{\"items\":[{\"value\":\"volume\"}]}},{\"key\":\"ec2:Region\",\"values\":{\"items\":[{\"value\":\"us-east-1\"}]}},{\"key\":\"aws:ARN\",\"values\":{\"items\":[{\"value\":\"arn:aws:ec2:us-east-1:611626611768:volume/*\"}]}}]}}}"
}
解碼后的消息清楚地表明您的 SCP 政策明確拒絕。 (您應該屏蔽您的 AWS 賬戶 ID)
{
"allowed": false,
"explicitDeny": true,
"matchedStatements": {
"items": [
{
"statementId": "DenyEC2CreationSCP1",
"effect": "DENY",
"principals": {
"items": [
{
"value": "AROAY4Z6JOQ4EEGF437YJ"
}
]
},
"principalGroups": {
"items": []
},
"actions": {
"items": [
{
"value": "ec2:RunInstances"
}
]
},
"resources": {
"items": [
{
"value": "arn:aws:ec2:*:*:instance/*"
},
{
"value": "arn:aws:ec2:*:*:volume/*"
}
]
},
"conditions": {
"items": [
{
"key": "aws:RequestTag/costcenter",
"values": {
"items": [
{
"value": "true"
}
]
}
}
]
}
},
{
"statementId": "Statement1",
"effect": "DENY",
"principals": {
"items": [
{
"value": "AROAY4Z6JOQ4EEGF437YJ"
}
]
},
"principalGroups": {
"items": []
},
"actions": {
"items": [
{
"value": "ec2:RunInstances"
}
]
},
"resources": {
"items": [
{
"value": "arn:aws:ec2:*:*:instance/*"
},
{
"value": "arn:aws:ec2:*:*:volume/*"
}
]
},
"conditions": {
"items": [
{
"key": "aws:RequestTag/team",
"values": {
"items": [
{
"value": "true"
}
]
}
}
]
}
},
{
"statementId": "DenyEC2CreationSCP1",
"effect": "DENY",
"principals": {
"items": [
{
"value": "AROAY4Z6JOQ4EEGF437YJ"
}
]
},
"principalGroups": {
"items": []
},
"actions": {
"items": [
{
"value": "ec2:RunInstances"
}
]
},
"resources": {
"items": [
{
"value": "arn:aws:ec2:*:*:instance/*"
},
{
"value": "arn:aws:ec2:*:*:volume/*"
}
]
},
"conditions": {
"items": [
{
"key": "aws:RequestTag/costcenter",
"values": {
"items": [
{
"value": "true"
}
]
}
}
]
}
},
{
"statementId": "Statement1",
"effect": "DENY",
"principals": {
"items": [
{
"value": "AROAY4Z6JOQ4EEGF437YJ"
}
]
},
"principalGroups": {
"items": []
},
"actions": {
"items": [
{
"value": "ec2:RunInstances"
}
]
},
"resources": {
"items": [
{
"value": "arn:aws:ec2:*:*:instance/*"
},
{
"value": "arn:aws:ec2:*:*:volume/*"
}
]
},
"conditions": {
"items": [
{
"key": "aws:RequestTag/team",
"values": {
"items": [
{
"value": "true"
}
]
}
}
]
}
}
]
},
"failures": {
"items": []
},
"context": {
"principal": {
"id": "AROAY4Z6JOQ4EEGF437YJ:nejla",
"arn": "arn:aws:sts::123456789:assumed-role/OrganizationAccountAccessRole/nejla"
},
"action": "ec2:RunInstances",
"resource": "arn:aws:ec2:us-east-1:123456789:volume/*",
"conditions": {
"items": [
{
"key": "aws:Resource",
"values": {
"items": [
{
"value": "volume/*"
}
]
}
},
{
"key": "aws:Account",
"values": {
"items": [
{
"value": "123456789"
}
]
}
},
{
"key": "ec2:AvailabilityZone",
"values": {
"items": [
{
"value": "us-east-1e"
}
]
}
},
{
"key": "ec2:Encrypted",
"values": {
"items": [
{
"value": "false"
}
]
}
},
{
"key": "ec2:VolumeType",
"values": {
"items": [
{
"value": "gp2"
}
]
}
},
{
"key": "ec2:IsLaunchTemplateResource",
"values": {
"items": [
{
"value": "false"
}
]
}
},
{
"key": "aws:Region",
"values": {
"items": [
{
"value": "us-east-1"
}
]
}
},
{
"key": "aws:Service",
"values": {
"items": [
{
"value": "ec2"
}
]
}
},
{
"key": "ec2:VolumeID",
"values": {
"items": [
{
"value": "*"
}
]
}
},
{
"key": "ec2:VolumeSize",
"values": {
"items": [
{
"value": "8"
}
]
}
},
{
"key": "ec2:ParentSnapshot",
"values": {
"items": [
{
"value": "arn:aws:ec2:us-east-1::snapshot/snap-0c371a5504a01769d"
}
]
}
},
{
"key": "aws:Type",
"values": {
"items": [
{
"value": "volume"
}
]
}
},
{
"key": "ec2:Region",
"values": {
"items": [
{
"value": "us-east-1"
}
]
}
},
{
"key": "aws:ARN",
"values": {
"items": [
{
"value": "arn:aws:ec2:us-east-1:123456789:volume/*"
}
]
}
}
]
}
}
}
請確保您在正確的條件下使用政策,如果政策中有任何明確拒絕,它始終具有高優先級。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.