适用于无服务器框架的AWS IAM策略,仅允许删除部署存储桶

时间:2019-01-28 17:17:12

标签: amazon-web-services amazon-s3 serverless-framework

我正在使用无服务器框架来部署到AWS。我想定义一个策略,该策略允许创建无服务器框架所需的所有资源。但是,我不希望用户获得对s3的完全访问权限。特别是,请仅删除包含特定字符串-serverlessdeploymentbucket-的存储桶,而无需删除其他存储桶。

这是不成功的尝试,因为无服务器会导致部署时拒绝访问错误。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::*-serverlessdeploymentbucket-*/*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:DeleteBucket"
            ],
            "Resource": "arn:aws:s3:::*-serverlessdeploymentbucket-*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:CreateBucket"
            ],
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "cloudformation:*",
                "logs:*",
                "iam:*",
                "apigateway:*",
                "lambda:*",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSubnets",
                "ec2:DescribeVpcs",
                "ec2:DescribeNetworkInterfaces",
                "events:*",
                "ssm:*"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

0 个答案:

没有答案