添加VPC资源时,SCP突然行为
我正在使用SCP策略在没有标签时停止EC2资源(子网,安全组,实例,VPC)创建。我正在使用标签策略检查合规标签。
但是,一旦我在SCP策略中添加了VPC的动作和资源,我就无法创建子网,安全组。
在没有VPC资源的情况下,SCP策略在下面的工作正常 -
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1ForProjectTag",
"Effect": "Deny",
"Action": [
"ec2:RunInstances",
"ec2:CreateSecurityGroup",
"ec2:CreateSubnet"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:subnet/*"
],
"Condition": {
"Null": {
"aws:RequestTag/project": [
"true"
]
}
}
}
]
}
此SCP策略正在破坏 - 即我无法使用适当的标签ASLO创建安全组/子网。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1ForProjectTag",
"Effect": "Deny",
"Action": [
"ec2:RunInstances",
"ec2:CreateSecurityGroup",
"ec2:CreateSubnet",
"ec2:CreateVpc"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:vpc/*"
],
"Condition": {
"Null": {
"aws:RequestTag/project": [
"true"
]
}
}
}
]
}
有人可以阐明这一点吗?
I am using SCP policy to stop ec2 resource ( subnet, security group, instance, vpc) creation when they don't have tags. i am using tag policy to check for compliant tags.
But as soon as i am adding action and resource for vpc in my scp policy, i am not able to create subnet, security group.
Below SCP policy is working fine without vpc resource -
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1ForProjectTag",
"Effect": "Deny",
"Action": [
"ec2:RunInstances",
"ec2:CreateSecurityGroup",
"ec2:CreateSubnet"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:subnet/*"
],
"Condition": {
"Null": {
"aws:RequestTag/project": [
"true"
]
}
}
}
]
}
This SCP policy is breaking - i.e i am not able to create security group/subnet with proper tags aslo.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1ForProjectTag",
"Effect": "Deny",
"Action": [
"ec2:RunInstances",
"ec2:CreateSecurityGroup",
"ec2:CreateSubnet",
"ec2:CreateVpc"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:vpc/*"
],
"Condition": {
"Null": {
"aws:RequestTag/project": [
"true"
]
}
}
}
]
}
Can someone shed a light on this?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
在同一语句中将不同的动作和资源结合起来不建议。它可能导致意外的行为或某些问题。另外,并非所有动作都适用于所有资源您需要指定合适的一个。
因此,首先有必要将语句分为多个语句。然后将效果从允许拒绝和条件更改为“字符串notequals”。
SCP应该与此相似:
It is not recommendable to combine different Actions and Resource in the same statement. It could cause unexpected behaviours or some issues. Also not all actions are applicable to all resources, you need to specify the suitable one.
So first it is necessary to split the statement into multiple ones. Then change the effect from Allow to Deny and condition to 'StringNotEquals'.
The SCP should be similar to this: