AWS S3存储桶策略非主要拒绝

时间:2017-06-29 19:41:26

标签: amazon-web-services amazon-s3 amazon-iam

我的目标是为一个IAM用户创建对存储桶的独占访问权限,并在添加新的iam用户和组时轻松维护该独占性。用户不受我的控制,并且附加了托管策略:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "FullTestBucketS3Access",
            "Action": "s3:*",
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::test",
                "arn:aws:s3:::test/*"
            ]
        }
    ]
}

我已将存储桶策略应用于需要排除除一个用户以外的所有用户的存储桶:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "NotPrincipal": {
                "AWS": [
                    "arn:aws:iam::111111111111:root",
                    "arn:aws:iam::111111111111:user/myuser"
                ]
            },
            "Action": [
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::test",
                "arn:aws:s3:::test/*"
            ]
        }
    ]
}

我发现deny语句的NotPrincipal部分提供的掩码不起作用。拒绝所有用户执行拒绝策略中指定的操作。我该怎么做才能解决这个问题?

0 个答案:

没有答案