我正在使用以下Terraform为EC2实例创建安全组:
resource "aws_security_group" "ecs_http_access" {
name = "${var.prefix}-ecs-host-sg"
description = "HTTP Access"
ingress {
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
description = "HTTP Access"
}
}
这可以正常工作,但是我正在尝试微调运行此用户的权限。我的目标是确保用户只能在特定区域中创建t2.micro
的实例类型。
我可以使用正常运行的策略成功限制实例类型:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "ec2:*",
"Resource": [
“*"
],
"Condition": {
"StringEqualsIfExists": {
"ec2:InstanceType": "t2.micro"
}
}
}
]
}
但是,当指定特定资源(我已经确认包括所有资源)时,它失败,并显示Error creating Security Group: UnauthorizedOperation: You are not authorized to perform this operation.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "ec2:*",
"Resource": [
"arn:aws:ec2:*:*:vpc-peering-connection/*",
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:vpn-gateway/*",
"arn:aws:ec2:*:*:reserved-instances/*",
"arn:aws:ec2:*:*:vpn-connection/*",
"arn:aws:ec2:*:*:launch-template/*",
"arn:aws:ec2:*::snapshot/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:network-acl/*",
"arn:aws:ec2:*:*:placement-group/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:internet-gateway/*",
"arn:aws:ec2:*:*:route-table/*",
"arn:aws:ec2:*:*:key-pair/*",
"arn:aws:ec2:*:*:dhcp-options/*",
"arn:aws:ec2:*::spot-instance-request/*",
"arn:aws:ec2:us-east-1:*:instance/*",
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:customer-gateway/*",
"arn:aws:ec2:*::fpga-image/*",
"arn:aws:ec2:*:*:vpc/*",
"arn:aws:ec2:*::image/*"
],
"Condition": {
"StringEqualsIfExists": {
"ec2:InstanceType": "t2.micro"
}
}
}
]
}
为什么在Resource
上使用通配符会起作用,但是在单独列出所有资源时却不能使用通配符?