什么标题说。

在主AWS账户，我有几个个人账户，即 AWS身份和访问管理（IAM）用户。我想分配一定的IAM用户组和$ P $从终止某些亚马逊EC2实例pvent他们，去注册某些的Amazon Machine Images（AMIS）等。

Within the master AWS account, I have several personal accounts, i.e. AWS Identity and Access Management (IAM) users. I would like to assign certain IAM users to groups and prevent them from terminating certain Amazon EC2 instances, de-registering certain Amazon Machine Images (AMIs), etc.

我不介意，如果他们正在玩自己的东西，但我不想让他们碰我的东西。

I don't mind if they're playing with their own stuff, but I don't want them to touch my stuff.

这可能吗？

推荐答案

AWS刚刚宣布Resource-Level权限亚马逊EC2和Amazon RDS 以解决在EC2和RDS IAM支持这一长期存在的缺点（相较于其他AWS服务，看我下面的详细资料原来的答复/背景）：

Update

AWS has just announced Resource-Level Permissions for Amazon EC2 and Amazon RDS to address this long standing shortcoming of IAM support within EC2 and RDS (in comparison to other AWS services, see my original answer below for details/background):

今天，我们正在做的IAM更引进了具有资源级权限亚马逊EC2 和的AWS策略生成器，例如：

(Partial) Workaround

Depending on the needs of the other accounts, you might still be able to at least limit their ability to perform those actions considered destructive - you can explore the available actions via the AWS Policy Generator, for example:

EC2：DeregisterImage - 明显的效果，当被拒绝用户/组 EC2：ModifyInstanceAttribute - 这将通过Enabling终止保护的实例，当被拒绝用户/组： ec2:DeregisterImage - obvious effect, when denied for a user/group ec2:ModifyInstanceAttribute - this would help via Enabling Termination Protection for an Instance, when denied for a user/group:

在默认情况下，你可以终止你启动任何实例。如果你想   prevent意外终止的情况下，你可以启用   终端保护的实例。

By default, you can terminate any instances you launch. If you want to prevent accidental termination of the instance, you can enable termination protection for the instance.

也就是说，一旦你启用终止保护，任何人未经允许使用 EC2：ModifyInstanceAttribute 不能在所有终止这些实例

That is, once you've enabled termination protection, anyone without permission to use ec2:ModifyInstanceAttribute cannot terminate these instances at all.

显然，分别受限帐户将无法再促进这些呼吁自己的资源。

Obviously the respectively restricted accounts won't be able to facilitate those calls for their own resources anymore.

此外，这不会从运行看中prevent他们的群集计算八超大型实例的左右，招致又将各自的成本;）

Furthermore this won't prevent them from running a fancy Cluster Compute Eight Extra Large Instance or so, incurring respective costs in turn ;)

根据您的设​​置/环境中，你可能要考虑的合并结算的替代，它主要提供了一种方法来收集一个或下一个又一个，这是支付所使用的资源多AWS账户别人。

Depending on your setup/environment you might want to look into Consolidated Billing instead, which essentially provides a way to gather one or many AWS accounts under another one, which is paying for the resources used by the others.

尽管这主要是一个会计功能，它可以用于分离关注的领域，以及 - 例如，这是相当常见的，以促进单独开发和生产帐户来实现分别独立操作，而不是至少关于IAM权利和等等。

While this is primarily an accounting feature, it can be used to separate areas of concern as well - for example, it's quite common to facilitate separate development and production accounts to achieve respectively independent operation, not the least regarding IAM rights and the like.

导言的博客文章新AWS功能：合并结算提供了一个很好的概述，这里是从AWS关于你的视使用情况合并结算指南：

The introductory blog post New AWS Feature: Consolidated Billing provides a good overview, and here is the relevant topic from the AWS Consolidated Billing Guide regarding your apparent use case:

的付费帐户被记帐的关联账户的所有费用。   然而，每个链接的帐户是在所有其他完全独立   方式（报名参加服务，访问资源，使用AWS premium   支持，等等）。的付费帐户所有者不能访问数据属于   以链接帐户所有者（例如，他们在Amazon S3中的文件）。 每   帐户所有者使用自己的AWS凭据来访问其资源   （例如，他们自己的AWS访问密钥）。 [重点煤矿] 的

The paying account is billed for all costs of the linked accounts. However, each linked account is completely independent in every other way (signing up for services, accessing resources, using AWS Premium Support, etc.). The paying account owner cannot access data belonging to the linked account owners (e.g., their files in Amazon S3). Each account owner uses their own AWS credentials to access their resources (e.g., their own AWS Secret Access Key). [emphasis mine]

显然，这个功能是针对大客户，但根据你的情况，你也许可以根据需要仍然拿出一个解决方案来分隔您的AWS账户和资源。

Obviously this functionality is targeted at larger customers, but depending on your scenario you might be able to come up with a solution to separate your AWS accounts and resources as needed still.