In the previous section, the policies will be divided into 5 different functions, if you want, you can optionally edit and combine them to suit the practical requirements you are aiming for or want. apply.
In addition, in this exercise, the following AWS Regions will be used by default to further strengthen the limit for Resource Tags.
In the new creation screen, we select JSON and fill in our policy specification.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ec2listread",
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"ec2:Get*"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestedRegion": [
"us-east-1",
"us-west-1"
]
}
}
}
]
}
Fill in the name along with a specific description.
ec2-list-read
ec2-list-read
ec2-create-tags
ec2-create-tags
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ec2createtags",
"Effect": "Allow",
"Action": "ec2:CreateTags",
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:CreateAction": "RunInstances"
}
}
}
]
}
Information:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ec2createtagsexisting",
"Effect": "Allow",
"Action": "ec2:CreateTags",
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Team": "Alpha"
},
"ForAllValues:StringEquals": {
"aws:TagKeys": [
"Team",
"Name"
]
},
"StringEqualsIfExists": {
"aws:RequestTag/Team": "Alpha"
}
}
}
]
}
Information:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ec2runinstances",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"StringEquals": {
"aws:RequestedRegion": [
"us-east-1",
"us-west-1"
],
"aws:RequestTag/Team": "Alpha"
},
"ForAllValues:StringEquals": {
"aws:TagKeys": [
"Name",
"Team"
]
}
}
},
{
"Sid": "ec2runinstancesother",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:key-pair/*",
"arn:aws:ec2:*::snapshot/*",
"arn:aws:ec2:*:*:launch-template/*",
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:placement-group/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*::image/*"
],
"Condition": {
"StringEquals": {
"aws:RequestedRegion": [
"us-east-1",
"us-west-1"
]
}
}
}
]
}
Information:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ec2manageinstances",
"Effect": "Allow",
"Action": [
"ec2:RebootInstances",
"ec2:TerminateInstances",
"ec2:StartInstances",
"ec2:StopInstances"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Team": "Alpha",
"aws:RequestedRegion": [
"us-east-1",
"us-west-1"
]
}
}
}
]
}
Once done, you will have 5 EC2 policies as shown below: