如何让 IAM 用户在受到 EC2 中的标签限制资源级权限限制时设置名称和其他自定义标签

How to enable IAM users to set the Name and other custom tags when limited by tag restricted resource-level permissions in EC2

我一直在尝试在 EC2 中配置基于标签的资源权限,使用的方法类似于以下问题的答案中描述的方法:Within IAM, can I restrict a group of users to access/launch/terminate only certain EC2 AMIs or instances?

我一直将其与 lambda 函数结合使用来自动标记 EC2 实例,根据调用关联 ec2:RunInstances 操作的 IAM 用户设置 OwnerPrincipalId .我一直遵循的方法记录在以下 AWS 博客 post 中:How to Automatically Tag Amazon EC2 Resources in Response to API Events

这两种方法的结合导致我的 EC2 用户权限受限,在我的 CloudFormation 模板中如下所示:

LimitedEC2Policy:
Type: "AWS::IAM::Policy"
Properties:
  PolicyName: UserLimitedEC2
  PolicyDocument:
    Version: 2012-10-17
    Statement:
      - Effect: Allow
        Action: ec2:RunInstances
        Resource:
          - !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:subnet/${PrivateSubnetA}'
          - !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:subnet/${PrivateSubnetB}'
          - !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:subnet/${PrivateSubnetC}'
          - !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:security-group/${BasicSSHAccessSecurityGroup.GroupId}'
          - !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:key-pair/${AuthorizedKeyPair}'
          - !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:network-interface/*'
          - !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:instance/*'
          - !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:volume/*'
          - !Sub 'arn:aws:ec2:${AWS::Region}::image/ami-*'
        Condition:
          StringLikeIfExists:
            ec2:Vpc: !Ref Vpc
          StringLikeIfExists:
            ec2:InstanceType: !Ref EC2AllowedInstanceTypes
      - Effect: Allow
        Action:
          - ec2:TerminateInstances
          - ec2:StopInstances
          - ec2:StartInstances
        Resource:
          - !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:instance/*'
        Condition:
          StringEquals:
            ec2:ResourceTag/Owner: !Ref UserName
  Users:
    - !Ref IAMUser

这些 IAM 权限将用户限制在单个 VPC 和安全组内的一组有限子网中的 运行 EC2 实例。然后,用户只能 start/stop/terminate 在 Owner 标签中用其 IAM 用户标记的实例。

我希望能够做的是允许用户在其 EC2 资源上创建和删除任何其他标签,例如设置 Name 标签。我无法解决的是如何在不让他们更改资源上的 OwnerPrincipalId 标签的情况下做到这一点,他们没有 "own".

有没有一种方法可以限制 ec2:createTagsec2:deleteTags 操作以防止用户设置某些标签?

在对 AWS EC2 文档进行大量筛选后,我发现了以下内容:Resource-Level Permissions for Tagging

这给出了例子:

Use with the ForAllValues modifier to enforce specific tag keys if they are provided in the request (if tags are specified in the request, only specific tag keys are allowed; no other tags are allowed). For example, the tag keys environment or cost-center are allowed:

"ForAllValues:StringEquals": { "aws:TagKeys": ["environment","cost-center"] }

因为我想要实现的基本上与此相反(允许用户指定所有标签,特定标签键除外)我已经能够阻止用户 creating/deleting Owner 和 PrincipalId通过将以下 PolicyDocument 语句添加到我的 CloudFormation 模板中的用户策略来标记:

- Effect: Allow
    Action:
      - ec2:CreateTags
      - ec2:DeleteTags
    Resource:
      - !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:*/*'
    Condition:
      "ForAllValues:StringNotEquals":
        aws:TagKeys:
          - "Owner"
          - "PrincipalId"

这允许用户 create/delete 他们想要的任何标签,只要它们不是 OwnerPrincipalId