鉴于这些存储桶密钥:
MY-permtest /
我-permtest / rootfile.txt
我-permtest /金融
我-permtest /金融/ financefile.txt
我-permtest /收藏
我-permtest /收藏/ collectionfile.txt
我-permtest /共享
my-permtest / Shared / sharedfile.txt
和此政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowListAllMyBuckets",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::*"
]
},
{
"Sid": "AllowedListAccess",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketAcl",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::my-permtest",
"arn:aws:s3:::my-permtest/Collections",
"arn:aws:s3:::my-permtest/Shared"
]
},
{
"Sid": "AllowAllObjectActionsNotExplicitlyDenied",
"Effect": "Allow",
"Action": [
"s3:*Object*"
],
"Resource": [
"arn:aws:s3:::my-permtest/*"
]
},
{
"Sid": "DenyAllFinanceAccess",
"Effect": "Deny",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::my-permtest/Finance"
]
}
]
}
为什么我能够执行获取和放置s3://my-permtest/Finance/financefile.txt? 我希望" Sid":" DenyAllFinanceAccess"块应该禁止此访问。
答案 0 :(得分:0)
这个结果很简单。 我还需要拒绝对财务密钥下面的所有对象的所有操作
"Sid": "DenyAllFinanceAccess",
块需要修改为:
{
"Sid": "DenyAllFinanceAccess",
"Effect": "Deny",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::my-permtest/Finance",
"arn:aws:s3:::my-permtest/Finance/*"
]
}