我已经阅读了AWS文件，这是没有帮助的......至少不适合我。我看了一下IAM并在EC2用户策略。

I have read the AWS documentation and it wasn't helpful... at least not for me. I have read about IAM and the user policy on the EC2.

我使用的是该地区的欧盟 - 西-1（爱尔兰）。我提出这个方针：

The region I'm using is eu-west-1(Ireland). I made this policy:

{      版本：2012年10月17日，     声明：[{         效果：允许，         行动：EC2：*，         资源：ARN：AWS：EC2：欧盟 - 西1：ACCOUNT_ID：实例/ INSTANCE_ID       }      ]   }

{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action":"ec2:*", "Resource": "arn:aws:ec2:eu-west-1:ACCOUNT_ID:instance/INSTANCE_ID" } ] }

当我登录的用户，我看到，我没有授权：

and when I login as the user, I see that I'm not authorized:

您没有权限来形容运行实例 您没有权限来形容弹性IP地址 您没有权限来形容卷 您没有权限来形容快照 您没有权限来形容密钥对 您没有权限来形容负载平衡器 您没有权限来形容贴装组 您没有权限来形容安全组

You are not authorized to describe Running Instances You are not authorized to describe Elastic IPs You are not authorized to describe Volumes You are not authorized to describe Snapshots You are not authorized to describe Key Pairs You are not authorized to describe Load Balancers You are not authorized to describe Placement Groups You are not authorized to describe Security Groups

在对资源我做：

资源：ARN：AWS：EC2：*？

"Resource": "arn:aws:ec2:*"

这是确定的，但它不是我所需要的，因为用户对所有的EC2实例访问。

it's Ok but it's not what I need because users have access on all EC2 instances.

我想知道这是否是AWS的错误或有问题的欧盟 - 西1区或不支持这个政策了吗？或者，也许我是错的，如果是的话，请帮我该怎么办

I want to know if this is a bug of AWS or there are problems with eu-west-1 region or this policy isn't supported already? Or maybe I'm wrong, if so, please help me how to do

推荐答案

最近推出的资源级权限的EC2和RDS资源还没有适用于所有API操作，但AWS正在逐步增加更多的，请参阅本说明从亚马逊资源名称为亚马逊EC2 ：

The recently introduced Resource-Level Permissions for EC2 and RDS Resources are not yet available for all API actions, but AWS is gradually adding more, see this note from Amazon Resource Names for Amazon EC2:

重要目前，并非所有的API操作支持个人ARNS;我们将支持更多的API操作和ARNS额外   亚马逊EC2资源后。有关哪些ARNS可以   与亚马逊EC2 API操作使用，以及支持条件   每个ARN键，请参见支持的资源和条件亚马逊   EC2 API操作的。

Important Currently, not all API actions support individual ARNs; we'll add support for additional API actions and ARNs for additional Amazon EC2 resources later. For information about which ARNs you can use with which Amazon EC2 API actions, as well as supported condition keys for each ARN, see Supported Resources and Conditions for Amazon EC2 API Actions.

您会发现，所有的 EC2：描述* 的行动确实存在仍的支持的资源和条件的Amazon EC2 API操作的在写这篇文章的时候。

You will find that all ec2:Describe* actions are indeed absent still from Supported Resources and Conditions for Amazon EC2 API Actions at the time of this writing.

参见授予IAM用户所需的权限亚马逊EC2资源，在上面和的的ARNS和Amazon EC2状态键，你可以使用一个IAM政策声明，以授予用户权限创建或修改特定的Amazon EC2资源的详细信息的简明摘要的 - 此网页还提到AWS会的在2014年支持更多的行动，ARNS和条件键的

See also Granting IAM Users Required Permissions for Amazon EC2 Resources for a concise summary of the above and details on the ARNs and Amazon EC2 condition keys that you can use in an IAM policy statement to grant users permission to create or modify particular Amazon EC2 resources - this page also mentions that AWS will add support for additional actions, ARNs, and condition keys in 2014.

代替或除了限制上所使用资源的访问，你可能要检查到（也）用细则结合的政策变量的，只要 EC2：地区是支持的条件的按键亚马逊EC2 - 你可以将你的政策，一个专门处理描述* 的行动，如像这样（未经测试）：

Instead of or in addition to constraining access on the individual resource level, you might want to check into (also) using Conditions combined with Policy Variables, insofar ec2:Regionis one of the supported Condition Keys for Amazon EC2 - you might combine your policy with one that specifically handles Describe* actions, e.g. something like this (untested):

{
  "Statement": [
    {
      "Action": [
        "ec2:Describe*"
      ],
      "Effect": "Allow",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "ec2:Region": "eu-west-1"
        }
      }
    }
  ]
}

请注意，这将仍然允许用户看到的所有的在情况下，欧盟 - 西-1 ，即使你原来的政策片段会prevent已经支持资源级别权限的所有API操作（例如创建实例/终止等）。

Please note that this would still allow the user to see all instances in eu-west-1, even though your original policy fragment would prevent all API actions that already support resource level permissions (e.g instance creation/termination etc.).

我已经概述在第另一个可能的方法的部分解决方法的范围内我相关答案如何隐藏在EC2实例基于标签 - ？使用IAM

I've outlined yet another possible approach in section Partial Workaround within my related answer to How to hide instances in EC2 based on tag - using IAM?.

祝您好运！