Estou tentando criar uma política de usuário que permita que usuários específicos acessem somente as seguintes permissões em um VPC específico: Criar instâncias Instâncias de início Parar Instâncias Terminar Instâncias
Eu criei e testei a política no IAM e ela funciona de acordo com o Policy Simulator. No entanto, quando a aplico, o usuário NÃO consegue iniciar uma instância. Anexei a política e a mensagem de erro abaixo.
Parece que estou perdendo algumas permissões, mas não tenho certeza do que, desde que isso é executado com êxito ao usar o simulador de política.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "NonResourceBasedReadOnlyPermissions",
"Action": [
"ec2:Describe*",
"ec2:CreateKeyPair",
"ec2:CreateSecurityGroup",
"iam:GetInstanceProfile",
"iam:ListInstanceProfiles",
"aws-marketplace:viewSubscriptions",
"aws-marketplace:Subscribe"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "IAMPassRoleToInstance",
"Action": [
"iam:PassRole"
],
"Effect": "Allow",
"Resource": "arn:aws:iam::5555555555555:role/vpc-user"
},
{
"Sid": "AllowInstanceActions",
"Effect": "Allow",
"Action": [
"ec2:RebootInstances",
"ec2:StopInstances",
"ec2:TerminateInstances",
"ec2:StartInstances",
"ec2:AttachVolume",
"ec2:DetachVolume"
],
"Resource": "arn:aws:ec2:us-east-1e:5555555555555:instance/*",
"Condition": {
"StringEquals": {
"ec2:InstanceProfile": "arn:aws:iam::5555555555555:instance-profile/vpc-user"
}
}
},
{
"Sid": "EC2RunInstances",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:us-east-1e:5555555555555:instance/*",
"Condition": {
"StringEquals": {
"ec2:InstanceProfile": "arn:aws:iam::5555555555555:instance-profile/vpc-user"
}
}
},
{
"Sid": "EC2RunInstancesSubnet",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:us-east-1e:5555555555555:subnet/*",
"Condition": {
"StringEquals": {
"ec2:vpc": "arn:aws:ec2:us-east-1e:5555555555555:vpc/vpc-1234abcd1"
}
}
},
{
"Sid": "RemainingRunInstancePermissions",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:us-east-1e:5555555555555:volume/*",
"arn:aws:ec2:us-east-1e::image/*",
"arn:aws:ec2:us-east-1e::snapshot/*",
"arn:aws:ec2:us-east-1e:5555555555555:network-interface/*",
"arn:aws:ec2:us-east-1e:5555555555555:key-pair/*",
"arn:aws:ec2:us-east-1e:5555555555555:security-group/*"
]
},
{
"Sid": "EC2VpcNonresourceSpecificActions",
"Effect": "Allow",
"Action": [
"ec2:DeleteNetworkAcl",
"ec2:DeleteNetworkAclEntry",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:DeleteSecurityGroup"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:vpc": "arn:aws:ec2:us-east-1e:5555555555555:vpc/vpc-1234abcd1"
}
}
}
]
}
Aqui está a mensagem de erro (decodificada usando awscli)
{"allowed":false,"explicitDeny":false,"matchedStatements":{"items":},"context":{"principal":{"id":"REDACTED","name":"USER.REDACTED","arn":"arn:aws:iam::5555555555555:user/USER.REDACTED"},"action":"ec2:RunInstances","resource":"arn:aws:ec2:us-east-1:5555555555555:instance/*","conditions":{"items":[{"key":"ec2:Tenancy","values":{"items":}},{"key":"ec2:AvailabilityZone","values":{"items":}},{"key":"ec2:Region","values":{"items":}},{"key":"ec2:ebsOptimized","values":{"items":}},{"key":"ec2:InstanceType","values":{"items":}},{"key":"ec2:RootDeviceType","values":{"items":}}}"
}