本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
Amazon Elastic Compute Cloud(Amazon EC2)的示例 SCP
需要 Amazon EC2 实例以使用特定类型
借助此 SCP,任何不使用 t2.micro 实例类型启动的实例都将被拒绝。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "RequireMicroInstanceType", "Effect": "Deny", "Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:*:*:instance/*" ], "Condition": { "StringNotEquals": { "ec2:InstanceType": "t2.micro" } } } ] }
防止在没有 IMDSv2 的情况下启动 EC2 实例
以下策略限制所有用户在没有 IMDSv2 的情况下启动 EC2 实例。
[ { "Effect":"Deny", "Action":"ec2:RunInstances", "Resource":"arn:aws:ec2:*:*:instance/*", "Condition":{ "StringNotEquals":{ "ec2:MetadataHttpTokens":"required" } } }, { "Effect":"Deny", "Action":"ec2:RunInstances", "Resource":"arn:aws:ec2:*:*:instance/*", "Condition":{ "NumericGreaterThan":{ "ec2:MetadataHttpPutResponseHopLimit":"3" } } }, { "Effect":"Deny", "Action":"*", "Resource":"*", "Condition":{ "NumericLessThan":{ "ec2:RoleDelivery":"2.0" } } }, { "Effect":"Deny", "Action":"ec2:ModifyInstanceMetadataOptions", "Resource":"*" } ]
以下策略限制所有用户在没有 IMDSv2 的情况下启动 EC2 实例,但允许特定 IAM 身份修改实例元数据选项。
[ { "Effect": "Deny", "Action": "ec2:RunInstances", "Resource": "arn:aws:ec2:*:*:instance/*", "Condition": { "StringNotEquals": { "ec2:MetadataHttpTokens": "required" } } }, { "Effect": "Deny", "Action": "ec2:RunInstances", "Resource": "arn:aws:ec2:*:*:instance/*", "Condition": { "NumericGreaterThan": { "ec2:MetadataHttpPutResponseHopLimit": "3" } } }, { "Effect": "Deny", "Action": "*", "Resource": "*", "Condition": { "NumericLessThan": { "ec2:RoleDelivery": "2.0" } } }, { "Effect": "Deny", "Action": "ec2:ModifyInstanceMetadataOptions", "Resource": "*", "Condition": { "StringNotLike": { "aws:PrincipalARN": [ "arn:aws:iam::{ACCOUNT_ID}:{RESOURCE_TYPE}/{RESOURCE_NAME}" ] } } } ]
防止禁用默认 Amazon EBS 加密
以下策略限制所有用户禁用默认 Amazon EBS 加密。
{ "Effect": "Deny", "Action": [ "ec2:DisableEbsEncryptionByDefault" ], "Resource": "*" }