Amazon Elastic Compute Cloud
Windows 实例用户指南
AWS 服务或AWS文档中描述的功能,可能因地区/位置而异。点 击 Getting Started with Amazon AWS to see specific differences applicable to the China (Beijing) Region.

Amazon EC2 API 操作支持的资源级权限

资源级权限 指的是能够指定允许用户对哪些资源执行操作的能力。Amazon EC2 部分支持资源级权限。这意味着对于某些 Amazon EC2 操作,您可以控制何时允许用户执行操作 (基于必须满足的条件)或是允许用户使用的特定资源。例如,您可以向用户授予启动实例的权限,但是仅限特定类型的实例,并且只能使用特定的 AMI。

下表介绍当前支持资源级权限的 Amazon EC2 API 操作,以及每个操作支持的资源 (及其 ARN) 和条件密钥。指定 ARN 时,您可以在路径中使用 * 通配符;例如,在无法或不希望指定确切资源 ID 的时候可以这样做。有关使用通配符的示例,请参阅 适用于 AWS CLI 或 AWS 开发工具包的策略示例

重要

如果某一 Amazon EC2 API 操作在此表中没有列出,则它不支持资源级权限。如果 Amazon EC2 API 操作不支持资源级权限,那么,您可以向用户授予使用该操作的权限,但是必须为策略语句的资源元素指定 *。有关示例,请参阅1:只读访问。有关当前不支持资源级权限的 Amazon EC2 API 操作列表,请参阅 Amazon EC2 API Reference 中的不支持的资源级权限

所有 Amazon EC2 操作都支持 ec2:Region 条件密钥。有关示例,请参阅2:限制对特定区域的访问

API 操作 资源 条件密钥
AcceptVpcPeeringConnection

VPC 对等连接

arn:aws-cn:ec2:region:account:vpc-peering-connection/*

arn:aws-cn:ec2:region:account:vpc-peering-connection/vpc-peering-connection-id

ec2:AccepterVpc

ec2:Region

ec2:ResourceTag/tag-key

ec2:RequesterVpc

VPC

arn:aws-cn:ec2:region:account:vpc/*

arn:aws-cn:ec2:region:account:vpc/vpc-id

其中 vpc-id 是接受人拥有的 VPC

ec2:ResourceTag/tag-key

ec2:Region

ec2:Tenancy

AssociateIamInstanceProfile

实例

arn:aws-cn:ec2:region:account:instance/*

arn:aws-cn:ec2:region:account:instance/instance-id

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/tag-key

ec2:RootDeviceType

ec2:Tenancy

AttachClassicLinkVpc

实例

arn:aws-cn:ec2:region:account:instance/*

arn:aws-cn:ec2:region:account:instance/instance-id

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/tag-key

ec2:RootDeviceType

ec2:Tenancy

安全组

arn:aws-cn:ec2:region:account:security-group/*

arn:aws-cn:ec2:region:account:security-group/security-group-id

其中的安全组是 VPC 的安全组。

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

VPC

arn:aws-cn:ec2:region:account:vpc/*

arn:aws-cn:ec2:region:account:vpc/vpc-id

ec2:Region

ec2:ResourceTag/tag-key

ec2:Tenancy

AttachVolume

实例

arn:aws-cn:ec2:region:account:instance/*

arn:aws-cn:ec2:region:account:instance/instance-id

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/tag-key

ec2:RootDeviceType

ec2:Tenancy

Volume

arn:aws-cn:ec2:region:account:volume/*

arn:aws-cn:ec2:region:account:volume/volume-id

ec2:AvailabilityZone

ec2:Encrypted

ec2:ParentSnapshot

ec2:Region

ec2:ResourceTag/tag-key

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeType

AuthorizeSecurityGroupEgress

安全组

arn:aws-cn:ec2:region:account:security-group/*

arn:aws-cn:ec2:region:account:security-group/security-group-id

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

AuthorizeSecurityGroupIngress

安全组

arn:aws-cn:ec2:region:account:security-group/*

arn:aws-cn:ec2:region:account:security-group/security-group-id

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

CreateTags

DHCP 选项集

arn:aws:ec2:region:account:dhcp-options/*

arn:aws:ec2:region:account:dhcp-options/dhcp-options-id

ec2:CreateAction

ec2:Region

ec2:ResourceTag/tag-key

aws:RequestTag/tag-key

aws:TagKeys

图片

arn:aws:ec2:region::image/*

arn:aws:ec2:region::image/image-id

ec2:CreateAction

ec2:ImageType

ec2:Owner

ec2:Public

ec2:Region

ec2:ResourceTag/tag-key

ec2:RootDeviceType

aws:RequestTag/tag-key

aws:TagKeys

实例

arn:aws:ec2:region:account:instance/*

arn:aws:ec2:region:account:instance/instance-id

ec2:AvailabilityZone

ec2:CreateAction

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/tag-key

ec2:RootDeviceType

ec2:Tenancy

aws:RequestTag/tag-key

aws:TagKeys

Internet 网关

arn:aws:ec2:region:account:internet-gateway/*

arn:aws:ec2:region:account:internet-gateway/igw-id

ec2:CreateAction

ec2:Region

ec2:ResourceTag/tag-key

aws:RequestTag/tag-key

aws:TagKeys

NAT 网关

arn:aws:ec2:region:account:natgateway/*

arn:aws:ec2:region:account:natgateway/natgateway-id

ec2:CreateAction

ec2:Region

ec2:ResourceTag/tag-key

aws:RequestTag/tag-key

aws:TagKeys

网络 ACL

arn:aws:ec2:region:account:network-acl/*

arn:aws:ec2:region:account:network-acl/nacl-id

ec2:CreateAction

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

aws:RequestTag/tag-key

aws:TagKeys

网络接口

arn:aws:ec2:region:account:network-interface/*

arn:aws:ec2:region:account:network-interface/eni-id

ec2:AvailabilityZone

ec2:CreateAction

ec2:Region

ec2:Subnet

ec2:ResourceTag/tag-key

ec2:Vpc

aws:RequestTag/tag-key

aws:TagKeys

Reserved Instance

arn:aws:ec2:region:account:reserved-instance/*

arn:aws:ec2:region:account:reserved-instance/reservation-id

ec2:AvailabilityZone

ec2:CreateAction

ec2:InstanceType

ec2:ReservedInstancesOfferingType

ec2:Region

ec2:ResourceTag/tag-key

ec2:Tenancy

aws:RequestTag/tag-key

aws:TagKeys

路由表

arn:aws:ec2:region:account:route-table/*

arn:aws:ec2:region:account:route-table/route-table-id

ec2:CreateAction

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

aws:RequestTag/tag-key

aws:TagKeys

安全组

arn:aws:ec2:region:account:security-group/*

arn:aws:ec2:region:account:security-group/security-group-id

ec2:CreateAction

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

aws:RequestTag/tag-key

aws:TagKeys

快照

arn:aws:ec2:region::snapshot/*

arn:aws:ec2:region::snapshot/snapshot-id

ec2:CreateAction

ec2:Owner

ec2:ParentVolume

ec2:Region

ec2:ResourceTag/tag-key

ec2:SnapshotTime

ec2:VolumeSize

aws:RequestTag/tag-key

aws:TagKeys

竞价型实例请求

arn:aws:ec2:region:account:spot-instances-request/*

arn:aws:ec2:region:account:spot-instances-request/spot-instance-request-id

ec2:CreateAction

ec2:Region

ec2:ResourceTag/tag-key

aws:RequestTag/tag-key

aws:TagKeys

子网

arn:aws:ec2:region:account:subnet/*

arn:aws:ec2:region:account:subnet/subnet-id

ec2:AvailabilityZone

ec2:CreateAction

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

aws:RequestTag/tag-key

aws:TagKeys

Volume

arn:aws:ec2:region:account:volume/*

arn:aws:ec2:region:account:volume/volume-id

ec2:AvailabilityZone

ec2:CreateAction

ec2:Encrypted

ec2:ParentSnapshot

ec2:Region

ec2:ResourceTag/tag-key

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeType

aws:RequestTag/tag-key

aws:TagKeys

VPC

arn:aws:ec2:region:account:vpc/*

arn:aws:ec2:region:account:vpc/vpc-id

ec2:CreateAction

ec2:Region

ec2:ResourceTag/tag-key

ec2:Tenancy

aws:RequestTag/tag-key

aws:TagKeys

VPN 连接

arn:aws:ec2:region:account:vpn-connection/*

arn:aws:ec2:region:account:vpn-connection/vpn-connection-id

ec2:CreateAction

ec2:Region

ec2:ResourceTag/tag-key

aws:RequestTag/tag-key

aws:TagKeys

VPN 网关

arn:aws:ec2:region:account:vpn-gateway/*

arn:aws:ec2:region:account:vpn-gateway/vpn-gateway-id

ec2:CreateAction

ec2:Region

ec2:ResourceTag/tag-key

aws:RequestTag/tag-key

aws:TagKeys

CreateVolume

Volume

arn:aws-cn:ec2:region:account:volume/*

ec2:AvailabilityZone

ec2:Encrypted

ec2:ParentSnapshot

ec2:Region

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeType

aws:RequestTag/tag-key

aws:TagKeys

CreateVpcPeeringConnection

VPC

arn:aws-cn:ec2:region:account:vpc/*

arn:aws-cn:ec2:region:account:vpc/vpc-id

其中 vpc-id 是请求者的 VPC

ec2:ResourceTag/tag-key

ec2:Region

ec2:Tenancy

VPC 对等连接

arn:aws-cn:ec2:region:account:vpc-peering-connection/*

ec2:AccepterVpc

ec2:Region

ec2:RequesterVpc

DeleteCustomerGateway

客户网关

arn:aws-cn:ec2:region:account:customer-gateway/*

arn:aws-cn:ec2:region:account:customer-gateway/cgw-id

ec2:Region

ec2:ResourceTag/tag-key

DeleteDhcpOptions

DHCP 选项集

arn:aws-cn:ec2:region:account:dhcp-options/*

arn:aws-cn:ec2:region:account:dhcp-options/dhcp-options-id

ec2:Region

ec2:ResourceTag/tag-key

DeleteInternetGateway

Internet 网关

arn:aws-cn:ec2:region:account:internet-gateway/*

arn:aws-cn:ec2:region:account:internet-gateway/igw-id

ec2:Region

ec2:ResourceTag/tag-key

DeleteNetworkAcl

网络 ACL

arn:aws-cn:ec2:region:account:network-acl/*

arn:aws-cn:ec2:region:account:network-acl/nacl-id

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

DeleteNetworkAclEntry

网络 ACL

arn:aws-cn:ec2:region:account:network-acl/*

arn:aws-cn:ec2:region:account:network-acl/nacl-id

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

DeleteRoute

路由表

arn:aws-cn:ec2:region:account:route-table/*

arn:aws-cn:ec2:region:account:route-table/route-table-id

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

DeleteRouteTable

路由表

arn:aws-cn:ec2:region:account:route-table/*

arn:aws-cn:ec2:region:account:route-table/route-table-id

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

DeleteSecurityGroup

安全组

arn:aws-cn:ec2:region:account:security-group/security-group-id

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

DeleteTags

DHCP 选项集

arn:aws:ec2:region:account:dhcp-options/*

arn:aws:ec2:region:account:dhcp-options/dhcp-options-id

ec2:Region

ec2:ResourceTag/tag-key

aws:RequestTag/tag-key

aws:TagKeys

图片

arn:aws:ec2:region::image/*

arn:aws:ec2:region::image/image-id

ec2:Region

ec2:ResourceTag/tag-key

aws:RequestTag/tag-key

aws:TagKeys

实例

arn:aws:ec2:region:account:instance/*

arn:aws:ec2:region:account:instance/instance-id

ec2:Region

ec2:ResourceTag/tag-key

aws:RequestTag/tag-key

aws:TagKeys

Internet 网关

arn:aws:ec2:region:account:internet-gateway/*

arn:aws:ec2:region:account:internet-gateway/igw-id

ec2:Region

ec2:ResourceTag/tag-key

aws:RequestTag/tag-key

aws:TagKeys

网络 ACL

arn:aws:ec2:region:account:network-acl/*

arn:aws:ec2:region:account:network-acl/nacl-id

ec2:Region

ec2:ResourceTag/tag-key

aws:RequestTag/tag-key

aws:TagKeys

网络接口

arn:aws:ec2:region:account:network-interface/*

arn:aws:ec2:region:account:network-interface/eni-id

ec2:Region

ec2:ResourceTag/tag-key

aws:RequestTag/tag-key

aws:TagKeys

Reserved Instance

arn:aws:ec2:region:account:reserved-instance/*

arn:aws:ec2:region:account:reserved-instance/reservation-id

ec2:Region

ec2:ResourceTag/tag-key

aws:RequestTag/tag-key

aws:TagKeys

路由表

arn:aws:ec2:region:account:route-table/*

arn:aws:ec2:region:account:route-table/route-table-id

ec2:Region

ec2:ResourceTag/tag-key

aws:RequestTag/tag-key

aws:TagKeys

安全组

arn:aws:ec2:region:account:security-group/*

arn:aws:ec2:region:account:security-group/security-group-id

ec2:Region

ec2:ResourceTag/tag-key

aws:RequestTag/tag-key

aws:TagKeys

快照

arn:aws:ec2:region::snapshot/*

arn:aws:ec2:region::snapshot/snapshot-id

ec2:Region

ec2:ResourceTag/tag-key

aws:RequestTag/tag-key

aws:TagKeys

竞价型实例请求

arn:aws:ec2:region:account:spot-instances-request/*

arn:aws:ec2:region:account:spot-instances-request/spot-instance-request-id

ec2:Region

ec2:ResourceTag/tag-key

aws:RequestTag/tag-key

aws:TagKeys

子网

arn:aws:ec2:region:account:subnet/*

arn:aws:ec2:region:account:subnet/subnet-id

ec2:Region

ec2:ResourceTag/tag-key

aws:RequestTag/tag-key

aws:TagKeys

Volume

arn:aws:ec2:region:account:volume/*

arn:aws:ec2:region:account:volume/volume-id

ec2:Region

ec2:ResourceTag/tag-key

aws:RequestTag/tag-key

aws:TagKeys

VPC

arn:aws:ec2:region:account:vpc/*

arn:aws:ec2:region:account:vpc/vpc-id

ec2:Region

ec2:ResourceTag/tag-key

aws:RequestTag/tag-key

aws:TagKeys

VPN 连接

arn:aws:ec2:region:account:vpn-connection/*

arn:aws:ec2:region:account:vpn-connection/vpn-connection-id

ec2:Region

ec2:ResourceTag/tag-key

aws:RequestTag/tag-key

aws:TagKeys

VPN 网关

arn:aws:ec2:region:account:vpn-gateway/*

arn:aws:ec2:region:account:vpn-gateway/vpn-gateway-id

ec2:Region

ec2:ResourceTag/tag-key

aws:RequestTag/tag-key

aws:TagKeys

DeleteVolume

Volume

arn:aws-cn:ec2:region:account:volume/*

arn:aws-cn:ec2:region:account:volume/volume-id

ec2:AvailabilityZone

ec2:Encrypted

ec2:ParentSnapshot

ec2:Region

ec2:ResourceTag/tag-key

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeType

DeleteVpcPeeringConnection

VPC 对等连接

arn:aws-cn:ec2:region:account:vpc-peering-connection/*

arn:aws-cn:ec2:region:account:vpc-peering-connection/vpc-peering-connection-id

ec2:AccepterVpc

ec2:Region

ec2:ResourceTag/tag-key

ec2:RequesterVpc

DetachClassicLinkVpc

实例

arn:aws-cn:ec2:region:account:instance/*

arn:aws-cn:ec2:region:account:instance/instance-id

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/tag-key

ec2:RootDeviceType

ec2:Tenancy

VPC

arn:aws-cn:ec2:region:account:vpc/*

arn:aws-cn:ec2:region:account:vpc/vpc-id

ec2:Region

ec2:ResourceTag/tag-key

ec2:Tenancy

DetachVolume

实例

arn:aws-cn:ec2:region:account:instance/*

arn:aws-cn:ec2:region:account:instance/instance-id

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/tag-key

ec2:RootDeviceType

ec2:Tenancy

Volume

arn:aws-cn:ec2:region:account:volume/*

arn:aws-cn:ec2:region:account:volume/volume-id

ec2:AvailabilityZone

ec2:Encrypted

ec2:ParentSnapshot

ec2:Region

ec2:ResourceTag/tag-key

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeType

DisableVpcClassicLink

VPC

arn:aws-cn:ec2:region:account:vpc/*

arn:aws-cn:ec2:region:account:vpc/vpc-id

ec2:Region

ec2:ResourceTag/tag-key

ec2:Tenancy

DisassociateIamInstanceProfile

实例

arn:aws-cn:ec2:region:account:instance/*

arn:aws-cn:ec2:region:account:instance/instance-id

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/tag-key

ec2:RootDeviceType

ec2:Tenancy

EnableVpcClassicLink

VPC

arn:aws-cn:ec2:region:account:vpc/*

arn:aws-cn:ec2:region:account:vpc/vpc-id

ec2:Region

ec2:ResourceTag/tag-key

ec2:Tenancy

GetConsoleScreenshot

实例

arn:aws-cn:ec2:region:account:instance/*

arn:aws-cn:ec2:region:account:instance/instance-id

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/tag-key

ec2:RootDeviceType

ec2:Tenancy

RebootInstances

实例

arn:aws-cn:ec2:region:account:instance/*

arn:aws-cn:ec2:region:account:instance/instance-id

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/tag-key

ec2:RootDeviceType

ec2:Tenancy

RejectVpcPeeringConnection

VPC 对等连接

arn:aws-cn:ec2:region:account:vpc-peering-connection/*

arn:aws-cn:ec2:region:account:vpc-peering-connection/vpc-peering-connection-id

ec2:AccepterVpc

ec2:Region

ec2:ResourceTag/tag-key

ec2:RequesterVpc

ReplaceIamInstanceProfileAssociation

实例

arn:aws-cn:ec2:region:account:instance/*

arn:aws-cn:ec2:region:account:instance/instance-id

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/tag-key

ec2:RootDeviceType

ec2:Tenancy

RevokeSecurityGroupEgress

安全组

arn:aws-cn:ec2:region:account:security-group/*

arn:aws-cn:ec2:region:account:security-group/security-group-id

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

RevokeSecurityGroupIngress

安全组

arn:aws-cn:ec2:region:account:security-group/*

arn:aws-cn:ec2:region:account:security-group/security-group-id

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

RunInstances

Elastic GPU

arn:aws-cn:ec2:region:account:elastic-gpu/*

ec2:ElasticGpuType

ec2:Region

映像

arn:aws-cn:ec2:region::image/*

arn:aws-cn:ec2:region::image/image-id

ec2:ImageType

ec2:Owner

ec2:Public

ec2:Region

ec2:RootDeviceType

ec2:ResourceTag/tag-key

实例

arn:aws-cn:ec2:region:account:instance/*

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:RootDeviceType

ec2:Tenancy

aws:RequestTag/tag-key

aws:TagKeys

密钥对

arn:aws-cn:ec2:region:account:key-pair/*

arn:aws-cn:ec2:region:account:key-pair/key-pair-name

ec2:Region

网络接口

arn:aws-cn:ec2:region:account:network-interface/*

arn:aws-cn:ec2:region:account:network-interface/eni-id

ec2:AvailabilityZone

ec2:Region

ec2:Subnet

ec2:ResourceTag/tag-key

ec2:Vpc

置放群组

arn:aws-cn:ec2:region:account:placement-group/*

arn:aws-cn:ec2:region:account:placement-group/placement-group-name

ec2:Region

ec2:PlacementGroupStrategy

安全组

arn:aws-cn:ec2:region:account:security-group/*

arn:aws-cn:ec2:region:account:security-group/security-group-id

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

快照

arn:aws-cn:ec2:region::snapshot/*

arn:aws-cn:ec2:region::snapshot/snapshot-id

ec2:Owner

ec2:ParentVolume

ec2:Region

ec2:SnapshotTime

ec2:ResourceTag/tag-key

ec2:VolumeSize

子网

arn:aws-cn:ec2:region:account:subnet/*

arn:aws-cn:ec2:region:account:subnet/subnet-id

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

Volume

arn:aws-cn:ec2:region:account:volume/*

ec2:AvailabilityZone

ec2:Encrypted

ec2:ParentSnapshot

ec2:Region

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeType

aws:RequestTag/tag-key

aws:TagKeys

StartInstances

实例

arn:aws-cn:ec2:region:account:instance/*

arn:aws-cn:ec2:region:account:instance/instance-id

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/tag-key

ec2:RootDeviceType

ec2:Tenancy

StopInstances

实例

arn:aws-cn:ec2:region:account:instance/*

arn:aws-cn:ec2:region:account:instance/instance-id

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/tag-key

ec2:RootDeviceType

ec2:Tenancy

TerminateInstances

实例

arn:aws-cn:ec2:region:account:instance/*

arn:aws-cn:ec2:region:account:instance/instance-id

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:ResourceTag/tag-key

ec2:RootDeviceType

ec2:Tenancy

UpdateSecurityGroupRuleDescriptionsEgress

安全组

arn:aws-cn:ec2:region:account:security-group/*

arn:aws-cn:ec2:region:account:security-group/security-group-id

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

UpdateSecurityGroupRuleDescriptionsIngress

安全组

arn:aws-cn:ec2:region:account:security-group/*

arn:aws-cn:ec2:region:account:security-group/security-group-id

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

RunInstances 的资源级别权限

RunInstances API 操作可启动一个或多个实例,并创建和使用许多 Amazon EC2 资源。该操作需要一个 AMI 并创建一个实例;该实例必须与安全组关联。启动到 VPC 中需要子网,会创建网络接口。从由 Amazon EBS 支持的 AMI 启动将创建卷。用户必须具有使用这些资源的权限,因此必须在使用 ec2:RunInstances 操作的资源级别权限的任何策略的 Resource 元素中指定它们。如果您不打算对 ec2:RunInstances 操作使用资源级别权限,则可以在您的语句 (而不是单个 ARN) 的 Resource 元素中指定 * 通配符。

如果您使用的是资源级别权限,下表介绍了使用 ec2:RunInstances 操作所需的最少资源。

启动类型 需要的资源 条件密钥
使用实例存储支持的 AMI 启动到 EC2-Classic 中

arn:aws-cn:ec2:region:account:instance/*

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:RootDeviceType

ec2:Tenancy

arn:aws-cn:ec2:region::image/* (或特定 AMI ID)

ec2:ImageType

ec2:Owner

ec2:Public

ec2:Region

ec2:RootDeviceType

ec2:ResourceTag/tag-key

arn:aws-cn:ec2:region:account:security-group/* (或特定安全组 ID)

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

使用 Amazon EBS 支持的 AMI 启动到 EC2-Classic 中

arn:aws-cn:ec2:region:account:instance/*

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:RootDeviceType

ec2:Tenancy

arn:aws-cn:ec2:region::image/* (或特定 AMI ID)

ec2:ImageType

ec2:Owner

ec2:Public

ec2:Region

ec2:RootDeviceType

ec2:ResourceTag/tag-key

arn:aws-cn:ec2:region:account:security-group/* (或特定安全组 ID)

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

arn:aws-cn:ec2:region:account:volume/*

ec2:AvailabilityZone

ec2:ParentSnapshot

ec2:Region

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeType

使用实例存储支持的 AMI 启动到 VPC 中

arn:aws-cn:ec2:region:account:instance/*

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:RootDeviceType

ec2:Tenancy

arn:aws-cn:ec2:region::image/* (或特定 AMI ID)

ec2:ImageType

ec2:Owner

ec2:Public

ec2:Region

ec2:RootDeviceType

ec2:ResourceTag/tag-key

arn:aws-cn:ec2:region:account:security-group/* (或特定安全组 ID)

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

arn:aws-cn:ec2:region:account:network-interface/* (或特定网络接口 ID)

ec2:AvailabilityZone

ec2:Region

ec2:Subnet

ec2:ResourceTag/tag-key

ec2:Vpc

arn:aws-cn:ec2:region:account:subnet/* (或特定子网 ID)

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

使用 Amazon EBS 支持的 AMI 启动到 VPC 中

arn:aws-cn:ec2:region:account:instance/*

ec2:AvailabilityZone

ec2:EbsOptimized

ec2:InstanceProfile

ec2:InstanceType

ec2:PlacementGroup

ec2:Region

ec2:RootDeviceType

ec2:Tenancy

arn:aws-cn:ec2:region::image/* (或特定 AMI ID)

ec2:ImageType

ec2:Owner

ec2:Public

ec2:Region

ec2:RootDeviceType

ec2:ResourceTag/tag-key

arn:aws-cn:ec2:region:account:security-group/* (或特定安全组 ID)

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

arn:aws-cn:ec2:region:account:network-interface/* (或特定网络接口 ID)

ec2:AvailabilityZone

ec2:Region

ec2:Subnet

ec2:ResourceTag/tag-key

ec2:Vpc

arn:aws-cn:ec2:region:account:volume/*

ec2:AvailabilityZone

ec2:Encrypted

ec2:ParentSnapshot

ec2:Region

ec2:VolumeIops

ec2:VolumeSize

ec2:VolumeType

arn:aws-cn:ec2:region:account:subnet/* (或特定子网 ID)

ec2:AvailabilityZone

ec2:Region

ec2:ResourceTag/tag-key

ec2:Vpc

建议您还在策略中指定密钥对资源 - 即使不需要启动实例,但没有密钥对,您也无法连接到实例。有关对 ec2:RunInstances 操作使用资源级别权限的示例,请参阅5:启动实例 (RunInstances)

有关 Amazon EC2 中资源级权限的更多信息,请参阅发布的以下 AWS 安全博客:揭秘 EC2 资源级权限

用于标记的资源级权限

某些资源创建 Amazon EC2 API 操作允许您在创建资源时指定标签。有关更多信息,请参阅 标记您的成员资源

为使用户能够在创建时标记资源,他们必须具有使用创建该资源的操作的权限,如 ec2:RunInstancesec2:CreateVolume。如果在资源创建操作中指定了标签,则 Amazon 会对 ec2:CreateTags 操作执行额外的授权,以验证用户是否具备创建标签的权限。因此,用户还必须具有使用 ec2:CreateTags 操作的显式权限。

对于 ec2:CreateTags 操作,您可以使用 ec2:CreateAction 条件键将标记权限限制为仅限资源创建操作。例如,下面的策略允许用户启动实例并在启动期间向实例和卷应用任何标签。用户无权标记任何现有资源 (他们无法直接调用 ec2:CreateTags 操作)。

Copy
{ "Statement": [ { "Effect": "Allow", "Action": [ "ec2:RunInstances" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": "arn:aws:ec2:region:account:*/*", "Condition": { "StringEquals": { "ec2:CreateAction" : "RunInstances" } } } ] }

同样,下面的策略允许用户创建卷并在创建卷期间向卷应用任何标签。用户无权标记任何现有资源 (他们无法直接调用 ec2:CreateTags 操作)。

Copy
{ "Statement": [ { "Effect": "Allow", "Action": [ "ec2:CreateVolume" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": "arn:aws:ec2:region:account:*/*", "Condition": { "StringEquals": { "ec2:CreateAction" : "CreateVolume" } } } ] }

仅当用户在资源创建操作中应用了标签时,系统才会评估 ec2:CreateTags 操作。因此,如果未在此请求中指定任何标签,则拥有创建资源权限 (假定没有标记条件) 的用户无需具备使用 ec2:CreateTags 操作的权限。但是,如果用户不具备使用 ec2:CreateTags 操作的权限而又试图创建带标签的资源,则请求将失败。

您可以使用以下条件键来控制应用到资源的标签键和值:

  • aws:RequestTag:指示请求中必须存在特定的标签键或标签键和值。也可在此请求中指定其他标签。

    • StringEquals 条件运算符配合使用,以强制实施特定的标签键和值组合,例如强制实施标签 cost-center=cc123

      "StringEquals": { "aws:RequestTag/cost-center": "cc123" }
    • StringLike 条件运算符配合使用,以在请求中强制实施特定的标签键;如强制实施标签键 purpose

      "StringLike": { "aws:RequestTag/purpose": "*" }
  • aws:TagKeys:强制实施在请求中使用的标签键。

    • ForAllValues 修饰符配合使用,以只强制实施请求中提供的特定标签键 (如果在请求中指定了标签,则只允许特定的标签键;不允许任何其他标签)。例如,允许标签键 environmentcost-center

      "ForAllValues:StringEquals": { "aws:TagKeys": ["environment","cost-center"] }
    • ForAnyValue 修饰符配合使用,以强制请求中至少存在一个指定的标签键。例如,强制请求中至少存在标签键 environmentwebserver 中的一个:

      "ForAnyValue:StringEquals": { "aws:TagKeys": ["environment","webserver"] }

上述条件键可应用于支持标记的资源创建操作,以及 ec2:CreateTagsec2:DeleteTags 操作。

为强制用户指定标签,在创建资源时,您必须使用 aws:RequestTag 条件密钥或 ForAnyValue 条件密钥,并在资源创建操作中使用修饰符 aws:TagKeys。如果用户没有为资源创建操作指定标签,则不会对 ec2:CreateTags 操作进行评估。

对于条件,条件键不区分大小写,条件值区分大小写。因此,要强制标签键区分大小写,请使用 aws:TagKeys 条件键,其中标签键指定为条件中的值。

有关多值条件的更多信息,请参阅 IAM 用户指南 中的创建测试多个键值的条件。有关示例 IAM 策略,请参阅 适用于 AWS CLI 或 AWS 开发工具包的策略示例