(背景)目前,我正在尝试为在我公司需要帐户的任何人制定一般政策,以便他们可以访问AWS上所需的任何内容,但能够更改自己的权限。这个想法是为他们提供托管策略“PowerUserAccess”。此外,在他们的帐户中,他们将拥有一个具有计费权限的S3存储桶,“arn:aws:s3 ::: c3-uits-s3”。
(问题)我试图让这个s3存储桶只读,以便他们可以查看/下载他们的账单,但无法从存储桶上传/删除。我的第一次尝试是
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"NotAction": "iam:*",
"Resource": "*"
},
{
"Effect": "Deny",
"NotAction": [
"s3:List*",
"s3:Get*"
],
"Resource": [
"arn:aws:s3:::c3-uits-s3"
]
}
]
}
拒绝所有操作但Get *和List *但有了这些权限我仍然可以上传/删除,所以我试图从那里只获取必要的权限,只查看并且不做任何其他事情我想出了
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"NotAction": "iam:*",
"Resource": "*"
},
{
"Effect": "Deny",
"NotAction": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::c3-uits-s3"
]
}
]
}
仍然可以上传/删除相同的效果。我试过的另一个变种是
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"NotAction": [
"iam:*",
"s3:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"NotResource": [
"arn:aws:s3:::c3-uits-s3"
]
},
{
"Effect": "Allow",
"Action": [
"s3:List*",
"s3:Get*"
],
"Resource": [
"arn:aws:s3:::c3-uits-s3"
]
}
]
}
和
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"NotAction": "iam:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:List*",
"s3:Get*"
],
"Resource": [
"arn:aws:s3:::c3-uits-s3"
]
},
{
"Effect": "Deny",
"Action": [
"s3:Put*",
"s3:Create*",
"s3:Delete*",
"s3:Replicate*"
],
"Resource": [
"arn:aws:s3:::c3-uits-s3"
]
}
]
}
非常感谢任何正确方向的帮助或指示!
答案 0 :(得分:0)
存储分区<{1}}的{{1}}为Resource,但存储区对象的"arn:aws:s3:::bucket-name"为Resource }。
你不能否认对象的任何操作。