Amazon web services AWS SNS主题访问策略不阻止用户订阅
我为SNS主题设置了如下访问策略。我想我只允许Amazon web services AWS SNS主题访问策略不阻止用户订阅,amazon-web-services,amazon-iam,amazon-sns,aws-access-policy,Amazon Web Services,Amazon Iam,Amazon Sns,Aws Access Policy,我为SNS主题设置了如下访问策略。我想我只允许user2订阅主题,但是user1可以订阅主题。我如何配置我想要做的事情 { "Version": "2008-10-17", "Id": "__default_policy_ID", "Statement": [ { "Sid": "__console_pub_0",
user2
订阅主题,但是user1
可以订阅主题。我如何配置我想要做的事情
{
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
{
"Sid": "__console_pub_0",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::${account_id}:user/user1"
},
"Action": "SNS:Publish",
"Resource": "arn:aws:sns:eu-west-2:${account_id}:topic1"
},
{
"Sid": "__console_sub_0",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::${account_id}:user/user2"
},
"Action": [
"SNS:Subscribe",
"SNS:Receive"
],
"Resource": "arn:aws:sns:eu-west-2:${account_id}:topic1"
}
]
}
User1可以订阅,因为它有一个基于身份的策略,允许该操作(完整SNS权限)。如果查看,您将看到基于资源的策略(添加到SNS主题的策略)和基于身份的策略(添加到user1的完整SNS权限)都足以允许访问 当user1尝试订阅主题时,IAM会查看这两个策略。主题策略不适用,但SNS完全访问适用,因此该操作是允许的 如果要确保user1无法订阅,可以向SNS主题添加拒绝策略:
{
"Effect": "Deny",
"Principal": {
"AWS": "arn:aws:iam::${account_id}:user/user1"
},
"Action": [
"SNS:Subscribe",
"SNS:Receive"
],
"Resource": "arn:aws:sns:eu-west-2:${account_id}:topic1"
}
如果添加此语句,当user1尝试订阅时,IAM将看到存在匹配的Deny语句,并将拒绝请求
如果要确保只有user2可以订阅,可以将NotPrincipal与拒绝一起使用:
{
"Effect": "Deny",
"NotPrincipal": {
"AWS": "arn:aws:iam::${account_id}:user/user2"
},
"Action": [
"SNS:Subscribe",
"SNS:Receive"
],
"Resource": "arn:aws:sns:eu-west-2:${account_id}:topic1"
}
这将匹配除user2之外的所有用户,并拒绝订阅,无论他们可能有什么其他策略。我们是否应该尝试在最后拒绝*?user1的IAM活动策略是什么,您能否提供详细信息?他不是艾哈维吗。在管理员访问中?我的假设是,他的政策允许他订阅SNS主题。默认情况下,任何新用户都无法访问SNS。因此,一定有其他一些策略允许它。无论是
user1
还是user2
在其IAM用户设置中都有完整的SNS权限。我希望用“Effect”配置特定用户:“Allow”
只允许那些用户使用。@jiminssy我认为这不是策略的行为方式。只有Deny
权限会覆盖Allow
权限。有关更多详细信息,请参阅