首页 文章

S3 Bucket Policy允许访问特定用户并限制所有用户

提问于
浏览
3

我搜索了现有的问题而无法找到答案 . 因此张贴在这里 .

我想限制所有用户访问S3存储桶,除了使用S3 Bucket策略选择少数用户 . 我理解IAM策略易于管理和管理,我不喜欢为这个特定情况创建角色和组,并希望创建S3存储桶策略 .

这是我到目前为止所尝试的内容,并不是按预期限制用户访问 .

{
  "Version": "2012-10-17",
  "Id": "bucketPolicy",
  "Statement": [
    {

      "Effect": "Allow",
      "Principal": {
        "AWS": ["arn:aws:iam::1234567890:user/allowedusername"]
      },
      "Action": "s3:*",
      "Resource": ["arn:aws:s3:::examplebucket",
                   "arn:aws:s3:::examplebucket/*"]
    },
    {

      "Effect": "Deny",
      "Principal": {
        "AWS": ["arn:aws:iam::1234567890:user/denieduser"]
      },
      "Action": "s3:*",
      "Resource": ["arn:aws:s3:::examplebucket",
                   "arn:aws:s3:::examplebucket/*"]
    }

  ]
}

我试图否认所有像下面所有,但明确拒绝优先于允许,我自己现在无法访问桶;-(这是另一个问题,我有

{

          "Effect": "Deny",
          "Principal": {
            "AWS": ["*"]
          },
          "Action": "s3:*",
          "Resource": ["arn:aws:s3:::examplebucket",
                       "arn:aws:s3:::examplebucket/*"]
        }
amazon-web-services amazon-s3

1 回答

  • 3

    要实现您想要的,请使用带有“NotPrincipal”策略元素的显式拒绝 . 以下策略将确保除“NotPrincipal”元素中列出的用户之外,没有其他用户可以访问存储桶 .

    {
            "Id": "bucketPolicy",
            "Statement": [
                    {
                            "Action": "s3:*",
                            "Effect": "Deny",
                            "NotPrincipal": {
                                    "AWS": [
                                            "arn:aws:iam::1234567890:user/alloweduser"
                                    ]
                            },
                            "Resource": [
                                    "arn:aws:s3:::examplebucket",
                                    "arn:aws:s3:::examplebucket/*"
                            ]
                    }
            ],
            "Version": "2012-10-17"
    }
    回复于

相关问题