S3 Bucket Policy允许访问特定角色并限制所有角色

时间:2017-12-15 06:32:46

标签: amazon-web-services amazon-s3 amazon-ec2 aws-lambda

我想限制对所有角色的S3存储桶的访问权限,除了使用S3 Bucket策略选择几个角色。但是在这里,当我切换到我的编写者和读者角色时,其访问被拒绝。

广告管理政策

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::581262627839:role/Rk-S3-Reader-I-Role"
            },
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::rkimpdocs"
        },
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::581262627839:role/Rk-S3-Writer-I-Role"
            },
            "Action": [
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::rkimpdocs/*"
        },
        {
            "Effect": "Deny",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::rkimpdocs",
                "arn:aws:s3:::rkimpdocs/*"
            ],
            "Condition": {
                "ForAllValues:StringEquals": {
                    "aws:TagKeys": [
                        "JD",
                        "devops"
                    ]
                }
            }
        }
    ]
}  

编写者角色的IAM角色权限(Rk-S3-Writer-I-Role)

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketLocation",
                "s3:ListAllMyBuckets"
            ],
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::rkimpdocs"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::rkimpdocs",
                "arn:aws:s3:::rkimpdocs/*"
            ]
        }
    ]
}

输出:

在两个存储桶策略上都拒绝访问并切换到提及角色。任何帮助/建议都会有所帮助。

1 个答案:

答案 0 :(得分:0)

显式拒绝将覆盖任何允许。在您的策略中,存储桶策略中的拒绝导致访问被拒绝。要访问特定的IAM角色并拒绝其他角色,您应该使用" NotPrincipal"元件。请参阅此blog,其中说明了您的具体用例。 此外," aws:Tagkeys" S3中的条件为not supported,因此您也必须省略它。