问题描述
我们有一些用户基本上可以使用以下策略访问所有内容:
We have a few users which basically have access to everything using the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
是否可以限制对选定VPC的访问?
我尝试创建以下策略并将其附加到用户(通过组):
I have tried creating the following policy and attach it to the user (via a group):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1504660000000",
"Effect": "Deny",
"Action": [
"ec2:*"
],
"Resource": [
"arn:aws:ec2:<REGION>:<ACCOUNT-ID>:vpc/<VPC-ID>"
]
}
]
}
我已替换了< REGION> < ACCOUNT-ID>和< VPC-ID>.
策略模拟器正确拒绝访问(StartInstances,StopInstances等).尽管如此,附加了此策略的用户仍然可以在vpc内创建EC2实例.
The policy simulator denies access (StartInstances, StopInstances, etc.) correctly. Nevertheless a user with this policy attached can still create EC2 instances within the vpc.
-
为什么我的策略不拒绝对VPC的访问?据我所知,"Deny"会覆盖"Allow".
Why does my policy not deny access to the VPC? As far as I know "Deny" overwrites "Allow".
实现此目标的正确方法是什么?我已阅读此和这,但不了解它如何限制访问.
What is the correct way of achieving this? I have read through this and this but don't understand how it would restrict access.
推荐答案
这是一个棘手的问题.您必须引用并包括所有支持ec2:Vpc条件的动作(包括资源),并拒绝API动作.对于其他动作,您必须找到API动作中常见的条件,并将这些动作包含在单独的语句块中,并通过其他方式拒绝它们.使用标签或其他方式.
It's a tricky one. You have to refer and include all actions including recources which supports the ec2:Vpc condition and deny the API actions. For other actions, you have to find conditions which are common in API actions and include those actions in separate statement blocks and deny those by other means e.g. using tags or something else.
此外,由于用户具有AdministratorAccess,因此必须确保用户不能分离此拒绝"策略并提升特权.
Also, as the users have AdministratorAccess, you have to make sure that the user's cannot detach this Deny policy and escalate the privilege.
对于其他使用VPC的服务,例如RDS,这是不可能的.
For other service which uses VPC e.g. RDS, it is not possible.
[1] http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-supported-iam-actions-resources.html
这篇关于AWS拒绝访问VPC的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!