使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款

How to I create an IAM policy that will allow the user to create AMI's of my instance?

0

I am creating a policy that I can attach to a user that will allow the user to create snapshots of the EC2 instance. However it won't work. In the simulator it always fails and says "denied implicitly denied". Here is the permissions I'm using:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "ec2:CreateImage",
            "Resource": [
                "arn:aws:ec2:*:--myaccountnumber--:instance/*",
                "arn:aws:ec2:*::snapshot/*",
                "arn:aws:ec2:*::image/*"
            ]
        }
    ]
}

I've just replaced my account number in the above. Why doesn't this allow me to create an AMI of my instance?

Thanks.

已提問 2 年前檢視次數 924 次
1 個回答
1

To allow a user to create an Amazon Machine Image (AMI) of an Amazon Elastic Compute Cloud (EC2) instance, you can create an IAM policy that includes the following permissions:

  • ec2:CreateImage: This permission allows the user to create an AMI from an EC2 instance.
  • ec2:DescribeInstances: This permission allows the user to retrieve information about the EC2 instances that they have permission to create AMIs for.
  • ec2:ModifySnapshotAttribute: This permission allows the user to modify the permissions of the snapshots that are used to create the AMI.
  • ec2:CreateTags: This permission allows the user to add tags to the AMI.

Here is an example policy that includes these permissions:


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateImage",
                "ec2:DescribeInstances",
                "ec2:ModifySnapshotAttribute",
                "ec2:CreateTags"
            ],
            "Resource": [
                "arn:aws:ec2:*:--myaccountnumber--:instance/*",
                "arn:aws:ec2:*::snapshot/*",
                "arn:aws:ec2:*::image/*"
            ]
        }
    ]
}

Note that the user will also need permission to create and delete snapshots of the EBS volumes attached to the EC2 instance. The user will also need permission to create and delete the AMI itself.

profile pictureAWS
已回答 2 年前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南