Amazon Elastic Compute Cloud(Amazon EC2)的示例 SCP - Amazon Organizations
需要 Amazon EC2 实例以使用特定类型防止在没有 IMDSv2 的情况下启动 EC2 实例防止禁用默认 Amazon EBS 加密防止创建和附加非 gp3 卷
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 中国的 Amazon Web Services 服务入门 (PDF)

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

Amazon Elastic Compute Cloud(Amazon EC2)的示例 SCP

需要 Amazon EC2 实例以使用特定类型

借助此 SCP,任何不使用 t2.micro 实例类型启动的实例都将被拒绝。

{
  "Version": "2012-10-17",		 	 	 
  "Statement": [
    {
      "Sid": "RequireMicroInstanceType",
      "Effect": "Deny",
      "Action": "ec2:RunInstances",
      "Resource": [
        "arn:aws:ec2:*:*:instance/*"
      ],
      "Condition": {
        "StringNotEquals": {
          "ec2:InstanceType": "t2.micro"
        }
      }
    }
  ]
}

防止在没有 IMDSv2 的情况下启动 EC2 实例

以下策略限制所有用户在没有 IMDSv2 的情况下启动 EC2 实例。


{
  "Version": "2012-10-17",		 	 	 
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "ec2:RunInstances",
      "Resource": "arn:aws:ec2:*:*:instance/*",
      "Condition": {
        "StringNotEquals": {
          "ec2:MetadataHttpTokens": "required"
        }
      }
    },
    {
      "Effect": "Deny",
      "Action": "ec2:RunInstances",
      "Resource": "arn:aws:ec2:*:*:instance/*",
      "Condition": {
        "NumericGreaterThan": {
          "ec2:MetadataHttpPutResponseHopLimit": "2"
        }
      }
    },
    {
      "Effect": "Deny",
      "Action": "*",
      "Resource": "*",
      "Condition": {
        "NumericLessThan": {
          "ec2:RoleDelivery": "2.0"
        }
      }
    },
    {
      "Effect": "Deny",
      "Action": "ec2:ModifyInstanceMetadataOptions",
      "Resource": "*"
    }
  ]
}

以下策略限制所有用户在没有 IMDSv2 的情况下启动 EC2 实例,但允许特定 IAM 身份修改实例元数据选项。

[
  {
    "Effect": "Deny",
    "Action": "ec2:RunInstances",
    "Resource": "arn:aws:ec2:*:*:instance/*",
    "Condition": {
      "StringNotEquals": {
        "ec2:MetadataHttpTokens": "required"
      }
    }
  },
  {
    "Effect": "Deny",
    "Action": "ec2:RunInstances",
    "Resource": "arn:aws:ec2:*:*:instance/*",
    "Condition": {
      "NumericGreaterThan": {
        "ec2:MetadataHttpPutResponseHopLimit": "2"
      }
    }
  },
  {
    "Effect": "Deny",
    "Action": "*",
    "Resource": "*",
    "Condition": {
      "NumericLessThan": {
        "ec2:RoleDelivery": "2.0"
      }
    }
  },
  {
    "Effect": "Deny",
    "Action": "ec2:ModifyInstanceMetadataOptions",
    "Resource": "*",
    "Condition": {
      "ArnNotLike": {
        "aws:PrincipalARN": [
          "arn:aws:iam::{ACCOUNT_ID}:{RESOURCE_TYPE}/{RESOURCE_NAME}"
        ]
      }
    }
  }
]

防止禁用默认 Amazon EBS 加密

以下策略限制所有用户禁用默认 Amazon EBS 加密。


{
  "Version": "2012-10-17",		 	 	 
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "ec2:DisableEbsEncryptionByDefault"
      ],
      "Resource": "*"
    }
  ]
}

防止创建和附加非 gp3 卷

以下策略可限制所有用户创建或附加任何非 gp3 卷类型的 Amazon EBS 卷。有关更多信息,请参阅 Amazon EBS 卷类型

{
  "Version": "2012-10-17",		 	 	 
  "Statement": [
    {
      "Sid": "DenyCreationAndAttachmentOfNonGP3Volumes",
      "Effect": "Deny",
      "Action": [
        "ec2:AttachVolume",
        "ec2:CreateVolume",
        "ec2:RunInstances"
      ],
      "Resource": "arn:aws:ec2:*:*:volume/*",
      "Condition": {
        "StringNotEquals": {
          "ec2:VolumeType": "gp3"
        }
      }
    }
  ]
}

这有助于在整个组织中强制执行标准化卷配置。

卷类型修改不受限制

您无法使用 SCP 来限制将现有 gp3 卷修改为其他类型 Amazon EBS 卷的操作。例如,此 SCP 不会阻止您将现有 gp3 卷修改为 gp2 卷。这是因为条件键 ec2:VolumeType 会在修改卷类型之前检查卷类型。