我正在尝试编写AWS S3存储桶策略,拒绝所有流量,除非它来自两个VPC。我正在尝试编写的策略如下所示,两个$'\n'之间的逻辑AND(除了它是无效的策略):
echo如果我使用它:
StringNotEquals然后至少有一个字符串比较返回true,并且无法从任何地方访问S3存储桶。
答案 0 :(得分:4)
之前从未尝试过这种方法。但以下情况应该有效。来自:Using IAM Policy Conditions for Fine-Grained Access Control
"Condition": {
"ForAllValues:StringNotEquals": {
"aws:sourceVpc": [
"vpc-111bbccc",
"vpc-111bbddd"
]
},
答案 1 :(得分:1)
原始JSON的问题:
"Condition": {
"StringNotEquals": {
"aws:sourceVpc": "vpc-111bbccc"
},
"StringNotEquals": {
"aws:sourceVpc": "vpc-111bbddd"
}
}
您不能拥有名为StringNotEquals的重复键。
但是有几种方法可以解决你的问题。
Allow而不是Deny权限不言自明:使用Allow权限代替Deny,然后将StringEquals与数组一起使用。所有值都将被视为OR条件。
{
"Version": "2012-10-17",
"Id": "Policy1415115909152",
"Statement": [
{
"Sid": "Allow-access-only-from-two-VPCs",
"Action": "s3:*",
"Effect": "Allow",
"Resource": ["arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"],
"Condition": {
"StringEquals": {
"aws:sourceVpc": ["vpc-111bbccc", "vpc-111bbddd"]
}
},
"Principal": "*"
}
]
}
IAM政策允许使用ForAnyValues and ForAllValues,可让您在Condition内测试多个值。
{
"Version": "2012-10-17",
"Id": "Policy1415115909152",
"Statement": [
{
"Sid": "Deny-access-except-from-two-VPCs",
"Action": "s3:*",
"Effect": "Deny",
"Resource": ["arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"],
"Condition": {
"ForAllValues:StringNotEquals": {
"aws:sourceVpc": ["vpc-111bbccc", "vpc-111bbddd"]
}
},
"Principal": "*"
}
]
}
StringNotEquals和StringNotEqualsIgnoreCase 我相当确定这是有效的,但它只会限制你的条件下的2个VPC。
{
"Version": "2012-10-17",
"Id": "Policy1415115909152",
"Statement": [
{
"Sid": "Deny-access-except-from-two-VPCs",
"Action": "s3:*",
"Effect": "Deny",
"Resource": ["arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"],
"Condition": {
"StringNotEquals": {
"aws:sourceVpc": ["vpc-111bbccc"]
},
"StringNotEqualsIgnoreCase": {
"aws:sourceVpc": ["vpc-111ddeee"]
}
},
"Principal": "*"
}
]
}