S3政策:尝试仅允许特定的用户和资源,并意外阻止了我自己

时间:2019-08-29 08:36:57

标签: amazon-web-services amazon-s3 amazon-iam

我有一个S3存储桶,我想将其访问权限限制为仅某些特定用户。我创建了一个测试帐户IAM:“ test.access”,并将此策略放到了我的存储桶中:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AuthorizeOnlySpecifiedUsers",
            "Effect": "Deny",
            "NotPrincipal": {
                "AWS": [
                    "arn:aws:iam::xxxxxxxxxx:user/test.access"
                ]
            },
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::test-bucket-xxxxxx-dev",
                "arn:aws:s3:::test-bucket-xxxxxx-dev/*"
            ]
        }
    ]
}

现在的问题是,即使用户test.access,任何人都无法访问该存储桶

该政策怎么了?

谢谢。

1 个答案:

答案 0 :(得分:0)

此政策应该有效(我尚无法测试)。需要注意的几件事

  • 确保将自己纳入拒绝非委托人政策
  • 如果您不希望用户拥有对存储桶的完全访问权限,请列出其允许部分所需要的操作。 IAM用户/角色策略将授予您本人和其他管理员的其他操作
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AuthorizeOnlySpecifiedUsers",
      "Effect": "Deny",
      "Action": [
        "s3:*"
      ],
      "NotPrincipal": {
        "AWS": [
          "arn:aws:iam::xxxxxxxxxx:user/test.access",
          "arn:aws:iam::xxxxxxxxxx:user/yourself"
        ]
      },
      "Resource": [
        "arn:aws:s3:::test-bucket-xxxxxx-dev",
        "arn:aws:s3:::test-bucket-xxxxxx-dev/*"
      ]
    },
    {
      "Sid": "Allow",
      "Effect": "Allow",
      "Action": [
        "s3:AbortMultipartUpload",
        "s3:ListMultipartUploadParts",
        "s3:DeleteObject*",
        "s3:PutObject*",
        "s3:GetObject*",
        "s3:RestoreObject*"
      ],
      "Resource": [
        "arn:aws:s3:::test-bucket-xxxxxx-dev",
        "arn:aws:s3:::test-bucket-xxxxxx-dev/*"
      ]
    }
  ]
}
相关问题
最新问题