我只是尝试将标签添加到某些存储桶中,然后创建了一个内联IAM角色策略,该策略使该角色可以访问S3存储桶,但是没有用。我同时尝试了iam:ResourceTag/tagName和s3:ResourceTag/tagName作为条件,但是都没有用。
看起来一切都很好,我开始认为AWS可能尚未为S3实现此功能。是这样吗我尝试查看文档,但确实没有发现与S3一起使用的标签有关的任何信息。
例如,角色HumanResources应该具有所有标记有HR,Recruitment等的存储桶,而其他存储桶则没有。
答案 0 :(得分:1)
在查看Actions, Resources, and Condition Keys for Amazon S3 - AWS Identity and Access Management时,似乎无法在IAM策略中指定存储桶标签。
一种选择是在存储桶名称中使用通配符。例如,您可以授予访问权限:
acme-hr-1
您可以根据存储区名称acme-hr-*授予权限。
答案 1 :(得分:1)
是的,但是您需要在每个S3资源策略上进行操作。
这里是S3策略,仅将IAM用户和角色的Tag部门设置为“ hr”的用户授予对存储桶的访问权限。
为确保HR员工只能访问这些存储桶,您需要从其IAM用户/角色访问策略中删除所有S3访问权限。
$event上一个错误的答案
发件人:IAM Policy Elements: Variables and Tags - AWS Identity and Access Management
event 还请确保在 {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyObjectOthers",
"Effect": "Deny",
"Principal": "*",
"Action": [
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts",
"s3:DeleteObject*",
"s3:PutObject*",
"s3:GetObject*",
"s3:RestoreObject*"
],
"Resource": [
"arn:aws:s3:::BUCKET_NAME/*"
],
"Condition": {
"StringNotLike": {
"aws:PrincipalTag/department": [
"hr"
]
}
}
},
{
"Sid": "DenyListOthers",
"Effect": "Deny",
"Principal": "*",
"Action": [
"s3:ListBucket*"
],
"Resource": [
"arn:aws:s3:::BUCKET_NAME"
],
"Condition": {
"StringNotLike": {
"aws:PrincipalTag/department": [
"hr"
]
}
}
},
{
"Sid": "AllowObject",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AWS_ACCOUNT_NUMBER:root"
},
"Action": [
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts",
"s3:DeleteObject*",
"s3:PutObject*",
"s3:GetObject*",
"s3:RestoreObject*"
],
"Resource": [
"arn:aws:s3:::BUCKET_NAME/*"
],
"Condition": {
"StringLike": {
"aws:PrincipalTag/department": [
"hr"
]
}
}
},
{
"Sid": "AllowList",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AWS_ACCOUNT_NUMBER:root"
},
"Action": [
"s3:ListBucket*"
],
"Resource": [
"arn:aws:s3:::BUCKET_NAME"
],
"Condition": {
"StringLike": {
"aws:PrincipalTag/department": [
"hr"
]
}
}
}
]
}
处包含该版本。