问题描述:

We have an AWS user, who should be able to Create different resources like Instances, Volumes and SecurityGroups but not modify resources that are not part of its project.

For this purpose we allow the creation of resources and let the user CreateTags his resources with a Project tag and a value of <user's team name here>. He should not be able to tag already tagged resources and so, not the resources of other teams. (Every single resource is properly tagged here).

I have created a policy with statement:

[...]

{

"Effect": "Allow",

"Action": "ec2:CreateTags",

"Resource": "*",

"Condition": {

"Null": {

"ec2:ResourceTag/Project": "true"

}

}

}

[...]

If I use the Policy Simulator by AWS, I am allowed to call CreateTags on a resource without a Project tag.

If I simulate it with setting a Project tag, the action is denied just as expected.

Unforunately, if I use the same actions from the AWS CLI with this policy, CreateTags is allowed every time. Even if the tag is already set and even on foreign instances the user should not be able to modify:

as user with mentioned policy

aws ec2 create-security-group --group-name "test-sg" --description "test" # creation of a new resource

(AWS answer){

"GroupId": "sg-4a3151aa"

}

.

aws ec2 create-tags --resources sg-4a31513c --tags Key=Project,Value=web-performance # this should work, ResourceTag Project is Null

(success)

aws ec2 create-tags --resources sg-4a31513c --tags Key=Project,Value=web-performance # should *not* work, ResourceTag Project is already set and not Null

(success)

As you can see, it works both times and it works also on foreign Projects where the tag is already set.

I also tried it with

 "Condition": {

"StringNotLike": {

"ec2:ResourceTag/Project": "*"

}

}

This behaves exactly like the "Null" Condition, even in the Policy Simulator.

Do you have any ideas? Thanks in advance.

网友答案:

Amazon EC2 has partial support for resource-level permissions. At the time of writing, the CreateTags action does not support resource-level permissions. You can see the list of actions that support resource-level permissions here.

You can verify this by changing your policy to specify StopInstances (which supports resource-level permissions) in place of CreateTags. Your IAM user will only be able to stop an EC2 instance if the instance does not have a Project tag. Alternatively, if you change the Null condition to false, then the IAM user will only be able to stop an EC2 instance if the instance does have a Project tag.

So, your policy will presumably be correct at some point in the future, when CreateTags supports resource-level permissions.

相关阅读:
Top