使用NotPrincipal拒绝访问的AWS S3 Bucket Policy

时间:2016-07-26 12:50:41

标签: amazon-web-services amazon-s3

我已经使用Bucket Policy配置了我的S3存储桶,看起来像这样

{
    "Version": "2012-10-17",
    "Id": "Policy100000000000",
    "Statement": [
        {
            "Sid": "Stmt1463490591045",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::bucketname/*"
        },
        {
            "Sid": "Stmt1463490591012",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::012345678900:user/user1",
                    "arn:aws:iam::012345678900:user/user2"
                ]
            },
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::bucketname"
        },
        {
            "Sid": "Stmt1463490660089",
            "Effect": "Deny",
            "NotPrincipal": {
                "AWS": [
                    "arn:aws:iam::012345678900:user/user1",
                    "arn:aws:iam::012345678900:user/user2"
                ]
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::bucketname/*.xml"
        }
    ]
}

目标是仅允许桶根中的xml文件访问所选用户。该规则似乎不起作用,因为我被拒绝访问

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>DE3DB1FF18B53997</RequestId><HostId>Iy+RnfkFKygJWkSTI0dXjssFsGFP2MydZZi/R5KBw5M8mZnfClt6HMOKJvAwy7sJgSx9BJQ3DbN=</HostId></Error>

我尝试使用AWS Node.js和Python SDK以及aws-cli获取xml文件。我一直收到相同的拒绝访问消息。

关于存储桶策略的AWS文档非常分散,并没有为我提供问题的解决方案。关于在政策中使用notPrincipal的文档很少。

ListBucket权限可以正常运行,这意味着问题特定于规则,而不是目标用户。

1 个答案:

答案 0 :(得分:0)

您的上一个拒绝政策根本不会讨论主要用户1或用户2的请求应该发生什么(允许或拒绝)。当您以user1或user2发送s3请求时,存储桶策略将不会产生任何影响(因为它没有任何规则与主体user1或user2匹配给定操作和给定资源)。

The goal is to allow access to xml files in the bucket root to the selected users only

在这种情况下,您可以提及一条规则,明确允许这些用户访问您的xml文件。

{
            "Sid": "Stmt1463490660089",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::012345678900:user/user1",
                    "arn:aws:iam::012345678900:user/user2"
                ]
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::bucketname/*.xml"
        }