SCP i have that appears to work:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "ec2:*"
"Resource": "arn:aws:ec2:*:*:image/ami-*",
"Condition": {
"ArnNotEquals": {
"aws:PrincipalArn": [
"arn:aws:iam::xxxxxxxx3352:role/AutomationServerRole"
]
}
}
},
{
"Sid": "Deny2",
"Effect": "Deny",
"Action": "ec2:*"
"Resource": "arn:aws:ec2:*:*:image/ami-*",
"Condition": {
"StringNotEquals": {
"ec2:Owner": [
"amazon",
"xxxxxxxx3352"
]
}
}
}
]
}
Testing methods:
- Test via a ec2 isntance with the
AutomationServerRole
role attached
- this fails launch centos (non amazon alias)
- this succeeds launch al2023 amazon owned alias
- this succeeds launch self owned AMI
- Test from cloudshell in 3352 account with my assumed org role
- this fails launch centos (non amazon alias)
- this fails launch al2023 amazon owned alias
- this fails launch self owned AMI
launch methods?
-
image-factory
launch centos non-amazon image = FAILS AMI_ID="ami-0144a5a84f5699847" &&
aws ec2 run-instances
--image-id ${AMI_ID}
--count 1
--instance-type t4g.nano
--security-group-ids sg-0dce1ffd1ab48a3a4
--subnet-id subnet-0b0b9f71817ca7870
--tag-specifications "ResourceType=instance,Tags=[{Key=Name,Value=cli-test-no-amazon-centos-ami-$(date '+%Y-%m-%d_%H-%M')}]"
--ebs-optimized
--credit-specification CpuCredits=standard
--no-associate-public-ip-address -
launch self owned image = SUCCESS AMI_ID="ami-0b2e9fef7a3024ce6" &&
aws ec2 run-instances
--image-id ${AMI_ID}
--count 1
--instance-type t4g.nano
--security-group-ids sg-0dce1ffd1ab48a3a4
--subnet-id subnet-0b0b9f71817ca7870
--tag-specifications "ResourceType=instance,Tags=[{Key=Name,Value=cli-test-org-shared-ami-$(date '+%Y-%m-%d_%H-%M')}]"
--ebs-optimized
--credit-specification CpuCredits=standard
--no-associate-public-ip-address -
launch amazon image AL2023 = SUCCESS AMI_ID="ami-0f93c02efd1974b8b" &&
aws ec2 run-instances
--image-id ${AMI_ID}
--count 1
--instance-type t4g.nano
--security-group-ids sg-0dce1ffd1ab48a3a4
--subnet-id subnet-0b0b9f71817ca7870
--tag-specifications "ResourceType=instance,Tags=[{Key=Name,Value=cli-test-amazon-al2023-ami-$(date '+%Y-%m-%d_%H-%M')}]"
--ebs-optimized
--credit-specification CpuCredits=standard
--no-associate-public-ip-address
this acts like OR because it lets me launch 3352 ami without the ROLE but only from amz and 3352. rejects centos ami
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "ec2:Run*",
"Resource": "arn:aws:ec2:*::image/ami-*",
"Condition": {
"StringNotEquals": {
"ec2:Owner": [
"amazon",
"xxxxxxxx3352"
]
},
"ArnNotEquals": {
"aws:PrincipalArn": [
"arn:aws:iam::xxxxxxxx3352:role/AutomationServerRole"
]
}
}
}
]
}
this acts like AND and lets the 2 defined ami owner/alias only from the arn role
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "ec2:Run*",
"Resource": "arn:aws:ec2:*:*:image/ami-*",
"Condition": {
"StringNotEquals": {
"ec2:Owner": [
"amazon",
"xxxxxxxx3352"
]
}
}
},
{
"Effect": "Deny",
"Action": "ec2:Run*",
"Resource": "arn:aws:ec2:*:*:image/ami-*",
"Condition": {
"ArnNotEquals": {
"aws:PrincipalArn": [
"arn:aws:iam::xxxxxxxx3352:role/AutomationServerRole"
]
}
}
}
]
}