我试图在未加密的存储桶创建中使用以下强制拒绝 . 除了以下策略之外,具有策略的用户具有完整的S3和KMS .
我收到这个红色警告:
This policy does not grant any permissions. To grant access, policies must have an action that has an applicable resource or condition.
此外,我被拒绝创建加密或未加密的S3存储桶 .
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "s3:CreateBucket",
"Resource": "arn:aws:s3:::*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": [
"AES256",
"aws:kms"
]
}
}
}
]
}
做的原因是在加密存储桶后不要担心对象加密 .
默认加密 - 您可以强制要求存储桶中的所有对象必须以加密形式存储,而不必构建拒绝未加密对象的存储桶策略 . 推荐:https://aws.amazon.com/blogs/aws/new-amazon-s3-encryption-security-features/
1 回答
Condition Key is invalid.
s3:CreateBucket操作在编写策略时只能具有某些条件,并且s3:x-amz-server-side-encryption不是其中之一 .参考:https://docs.aws.amazon.com/AmazonS3/latest/dev/amazon-s3-policy-keys.html#bucket-keys-in-amazon-s3-policies