子账号或者相关角色权限限制如下:
- 不允许创建资源,除创建的资源有标签(costcenter:zhangsan)才可以创建资源。
- 可以操作自己创建的资源,也就是带有标签(costcenter:zhangsan)的资源。
- 不可以操作其他人的资源,也就是不带有标签(costcenter:zhangsan)的资源。
- 查看实例时只能看到自己创建的资源,看不到其他人的资源。【这里默认是看不到任何资源的,需要手动选择一下标签过滤才可以看到自己的资源】。
- 不允许修改标签,防止标签被修改。
权限设计如下:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:Run*",
"ecs:Create*",
"ecs:Purchase*",
"ecs:DescribeInstances",
"ecs:List*"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"acs:RequestTag/costcenter": "zhangsan"
}
}
},
{
"Effect": "Allow",
"Action": "*",
"Resource": "*",
"Condition": {
"StringEquals": {
"acs:ResourceTag/costcenter": "zhangsan"
}
}
},
{
"Effect": "Allow",
"Action": [
"ecs:List*",
"ecs:DescribeInstanceStatus",
"ecs:DescribeInstanceVncUrl",
"ecs:DescribeInstanceAutoRenewAttribute",
"ecs:DescribeInstanceRamRole",
"ecs:DescribeInstanceTypeFamilies",
"ecs:DescribeInstanceTypes",
"ecs:DescribeInstanceAttachmentAttributes",
"ecs:DescribeInstancesFullStatus",
"ecs:DescribeInstanceHistoryEvents",
"ecs:DescribeInstanceMonitorData",
"ecs:DescribeInstanceMaintenanceAttributes",
"ecs:DescribeInstanceModificationPrice",
"ecs:DescribeA*",
"ecs:DescribeC*",
"ecs:DescribeD*",
"ecs:DescribeE*",
"ecs:DescribeH*",
"ecs:DescribeIm*",
"ecs:DescribeInv*",
"ecs:DescribeK*",
"ecs:DescribeL*",
"ecs:DescribeM*",
"ecs:DescribeN*",
"ecs:DescribeP*",
"ecs:DescribeR*",
"ecs:DescribeS*",
"ecs:DescribeT*",
"ecs:DescribeW*",
"ecs:DescribeZ*",
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches",
"bss:PayOrder"
],
"Resource": "*"
},
{
"Effect": "Deny",
"Action": [
"ecs:RemoveTags",
"ecs:UntagResources",
"ecs:AddTags",
"ecs:TagResources"
],
"Resource": "*"
}
]
}验证:
- 不允许创建资源,除创建的资源有标签(costcenter:zhangsan)才可以创建资源。
创建ECS支持标签的资源 
- 可以操作自己创建的资源,也就是带有标签(costcenter:zhangsan)的资源。
创建ECS实例,当然创建磁盘、镜像、安全组等也支持标签资源也一样。支持资源类型列表参考TagResources文档
- 不可以操作其他人的资源,也就是不带有标签(costcenter:zhangsan)的资源。
- 查看实例时只能看到自己创建的资源,看不到其他人的资源。【这里默认是看不到任何资源的,需要手动选择一下标签过滤才可以看到自己的资源】。
并且可以操作自己资源比如启动,释放等。
- 不允许修改标签,防止标签被修改。
