屏蔽账单
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Deny",
"Action": [
"aws-portal:*",
"ce:*",
"cur:*",
"billing:Get*",
"payments:List*",
"payments:Get*"
],
"Resource": [
"*"
]
}
]
}
屏蔽credit页面:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Deny",
"Action": [
"billing:GetCredits"
],
"Resource": [
"*"
]
}
]
}
屏蔽支付方式页面
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Deny",
"Action": [
"payments:Get*"
],
"Resource": [
"*"
]
}
]
}
防止退出组织、购买SP RI、订阅shield advanced
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Deny",
"Action": [
"organizations:LeaveOrganization",
"savingsplans:CreateSavingsPlan",
"ec2:PurchaseReservedInstancesOffering",
"shield:*"
],
"Resource": [
"*"
]
}
]
}
ec2类型和RI,Saving plan
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyLaunchHighCPUInstanceTypes",
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"ForAllValues:StringNotEquals": {
"ec2:InstanceType": [
"t2.micro",
"t2.small",
"t2.medium",
"t2.large",
"t2.2xlarge",
"t3.micro",
"t3.small",
"t3.xlarge",
"t3.2xlarge",
"t3.medium",
"t3a.micro",
"t3a.small",
"t3a.medium",
"t4g.micro",
"t4g.small",
"t4g.medium",
"c4.large",
"c4.xlarge",
"c4.2xlarge",
"c5.large",
"c5.xlarge",
"c5.2xlarge",
"c5a.large",
"c5a.xlarge",
"c5a.2xlarge",
"c5d.large",
"c5d.xlarge",
"c5d.2xlarge",
"c5n.large",
"c5n.xlarge",
"c5n.2xlarge",
"c6g.medium",
"c6g.large",
"c6g.xlarge",
"c6gn.medium",
"c6gn.large",
"c6gn.xlarge",
"m6i.large",
"m6i.xlarge",
"c6i.large",
"r6i.large"
]
}
}
},
{
"Sid": "DenyPurchaseShieldAdvance",
"Effect": "Deny",
"Action": [
"shield:*",
"ec2:PurchaseReservedInstancesOffering",
"savingsplans:CreateSavingsPlan"
],
"Resource": "*"
}
]
}
禁止所有权限:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"DateLessThanEquals": {
"aws:TokenIssueTime": "2050-01-01T00:00:01Z"
}
}
}
}
创建 SCP 策略。如果缺少标签键 costcenter 和标签键团队,则以下策略将拒绝 Amazon EC2 启动。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyEC2CreationSCP1",
"Effect": "Deny",
"Action": [
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*"
],
"Condition": {
"Null": {
"aws:RequestTag/costcenter": "true"
}
}
},
{
"Sid": " DenyEC2CreationSCP2",
"Effect": "Deny",
"Action": [
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*"
],
"Condition": {
"Null": {
"aws:RequestTag/team": "true"
}
}
}
]
}
创建另一个 SCP,在创建标签键后,拒绝用户删除它
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyDeleteTag1",
"Effect": "Deny",
"Action": [
"ec2:DeleteTags"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*"
],
"Condition": {
"Null": {
"aws:RequestTag/costcenter": "false"
}
}
},
{
"Sid": "DenyDeleteTag2",
"Effect": "Deny",
"Action": [
"ec2:DeleteTags"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*"
],
"Condition": {
"Null": {
"aws:RequestTag/team": "false"
}
}
}
]
}
委派link account查看组织账号及策略的权限(只能是读权限)
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::015848*****:root"
},
"Action": [
"organizations:ListAccounts",
"organizations:DescribeAccount",
"organizations:ListAccountsForParent",
"organizations:ListChildren",
"organizations:ListAWSServiceAccessForOrganization",
"organizations:ListParents",
"organizations:ListPolicies",
"organizations:ListRoots",
"organizations:DescribeCreateAccountStatus",
"organizations:DescribeOrganization",
"organizations:DescribeOrganizationalUnit",
"organizations:DescribePolicy",
"organizations:DescribeResourcePolicy",
"organizations:ListCreateAccountStatus",
"organizations:ListDelegatedAdministrators",
"organizations:ListDelegatedServicesForAccount",
"organizations:ListHandshakesForAccount",
"organizations:ListHandshakesForOrganization",
"organizations:ListOrganizationalUnitsForParent",
"organizations:ListTagsForResource",
"organizations:ListTargetsForPolicy",
"organizations:DescribeEffectivePolicy",
"organizations:DescribeHandshake"
],
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Id": "S3-Allow-public-object",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::BUCKET_NAME/text01"
}
]
}