wsi-project: developer라는 태그가 들어간 인스턴스만 생성 할 수 있는 IAM 정책
더보기
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ReadOnlyAccess",
"Action": [
"ec2:Describe*",
"ec2:GetConsole*",
"cloudwatch:DescribeAlarms",
"cloudwatch:GetMetricStatistics",
"iam:ListInstanceProfiles"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Sid": "AllowEC2OnlyOnSpecificRegion",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:ap-northeast-2:*:instance/*",
"arn:aws:ec2:ap-northeast-2:*:key-pair/*",
"arn:aws:ec2:ap-northeast-2:*:security-group/*",
"arn:aws:ec2:ap-northeast-2:*:volume/*",
"arn:aws:ec2:ap-northeast-2:*:network-interface/*",
"arn:aws:ec2:ap-northeast-2:*:subnet/*",
"arn:aws:ec2:ap-northeast-2::image/ami-*"
]
},
{
"Sid": "EnforcingEC2Tagging",
"Effect": "Allow",
"Action": "ec2:CreateTags",
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:CreateAction": "RunInstances",
"aws:RequestTag/wsi-project": "developer"
}
}
}
]
}wsi-project: developer라는 태그가 들어간 인스턴스만 삭제 할 수 있는 IAM 정책
더보기
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ReadOnlyAccess",
"Action": [
"ec2:Describe*",
"ec2:GetConsole*",
"cloudwatch:DescribeAlarms",
"cloudwatch:GetMetricStatistics",
"iam:ListInstanceProfiles"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Sid": "AllowEC2DeletionWithTagAndRegion",
"Effect": "Allow",
"Action": "ec2:TerminateInstances",
"Resource": "arn:aws:ec2:ap-northeast-2:*:instance/*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/wsi-project": "developer"
}
}
}
]
}
