sso用户的s3存储桶策略

时间:2020-10-07 05:08:35

标签: amazon-web-services amazon-s3 amazon-iam

我想允许特定角色“ test-role”在特定存储桶“ test-bucket”上执行所有s3操作。拒绝所有其他人。我写的s3政策:

{
 "Version": "2012-10-17",
 "Id": "Policy1601973417173",
 "Statement": [
 {
 "Sid": "Allow role test-role",
 "Effect": "Allow",
 "Principal": {
 "AWS": "arn:aws:iam::xxxxxxxx:role/test-role"
 },
 "Action": "s3:*",
 "Resource": "arn:aws:s3:::test-bucket/*"
 },
 {
 "Sid": "Deny rest",
 "Effect": "Deny",
 "NotPrincipal": {
 "AWS": "arn:aws:iam::xxxxxxxx:role/test-role"
 },
 "Action": "s3:*",
 "Resource": "arn:aws:s3:::test-bucket/*"
 }
 ]
}

即使应用了上述策略,映射到“ test-role”角色的sso用户也会在存储桶中获得拒绝访问的权限。

注意:AWS控制台将登录用户显示为“联合登录:test-role/sam@abc.com”。

我也尝试过“假定角色”选项仍然失败。任何帮助表示赞赏。

1 个答案:

答案 0 :(得分:0)

尝试一下:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::test-bucket",
                "arn:aws:s3:::test-bucket/*"
            ],
            "Condition": {
                "StringNotLike": {
                    "aws:userId": [
                        "AIDA<udserid-1-suppressed>:*",
                        "AIDA<udserid-1-suppressed>",
                        "AIDA<udserid-2-suppressed>:*",
                        "AIDA<udserid-2-suppressed>",
                        "AIDA<udserid-n-suppressed>:*",
                        "AIDA<udserid-n-suppressed>",
                        "111111111111"
                    ]
                }
            }
        }
    ]
}
相关问题
最新问题