我想限制对所有角色的S3存储桶的访问权限,除了使用S3 Bucket策略选择几个角色。但是在这里,当我切换到我的编写者和读者角色时,其访问被拒绝。
广告管理政策
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::581262627839:role/Rk-S3-Reader-I-Role"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::rkimpdocs"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::581262627839:role/Rk-S3-Writer-I-Role"
},
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::rkimpdocs/*"
},
{
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::rkimpdocs",
"arn:aws:s3:::rkimpdocs/*"
],
"Condition": {
"ForAllValues:StringEquals": {
"aws:TagKeys": [
"JD",
"devops"
]
}
}
}
]
}
编写者角色的IAM角色权限(Rk-S3-Writer-I-Role)
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::rkimpdocs"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::rkimpdocs",
"arn:aws:s3:::rkimpdocs/*"
]
}
]
}
输出:
在两个存储桶策略上都拒绝访问并切换到提及角色。任何帮助/建议都会有所帮助。
答案 0 :(得分:0)
显式拒绝将覆盖任何允许。在您的策略中,存储桶策略中的拒绝导致访问被拒绝。要访问特定的IAM角色并拒绝其他角色,您应该使用" NotPrincipal"元件。请参阅此blog,其中说明了您的具体用例。 此外," aws:Tagkeys" S3中的条件为not supported,因此您也必须省略它。