Amazon web services sso用户的s3存储桶策略
我想允许特定角色“测试角色”的特定bucket“测试bucket”上的所有s3操作。为所有其他人否认这个桶。我编写的s3策略:Amazon web services sso用户的s3存储桶策略,amazon-web-services,amazon-s3,amazon-iam,Amazon Web Services,Amazon S3,Amazon Iam,我想允许特定角色“测试角色”的特定bucket“测试bucket”上的所有s3操作。为所有其他人否认这个桶。我编写的s3策略: { "Version": "2012-10-17", "Id": "Policy1601973417173", "Statement": [ { "Sid": "Allow role test-role", "
{
"Version": "2012-10-17",
"Id": "Policy1601973417173",
"Statement": [
{
"Sid": "Allow role test-role",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::xxxxxxxx:role/test-role"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::test-bucket/*"
},
{
"Sid": "Deny rest",
"Effect": "Deny",
"NotPrincipal": {
"AWS": "arn:aws:iam::xxxxxxxx:role/test-role"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::test-bucket/*"
}
]
}
即使在应用了上述策略之后,映射到角色“test role”的sso用户在bucket上也会被拒绝访问
注意:AWS控制台将登录用户显示为“联合登录:测试角色”/sam@abc.com“
我也尝试过“假定角色”选项仍然失败。感谢您的帮助。试试以下方法:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::test-bucket",
"arn:aws:s3:::test-bucket/*"
],
"Condition": {
"StringNotLike": {
"aws:userId": [
"AIDA<udserid-1-suppressed>:*",
"AIDA<udserid-1-suppressed>",
"AIDA<udserid-2-suppressed>:*",
"AIDA<udserid-2-suppressed>",
"AIDA<udserid-n-suppressed>:*",
"AIDA<udserid-n-suppressed>",
"111111111111"
]
}
}
}
]
}
{
“版本”:“2012-10-17”,
“声明”:[
{
“效果”:“拒绝”,
“委托人”:“*”,
“行动”:“s3:*”,
“资源”:[
“arn:aws:s3:::测试桶”,
“arn:aws:s3:::测试桶/*”
],
“条件”:{
“StringNotLike”:{
“aws:userId”:[
“艾达:”,
“艾达”,
“艾达:”,
“艾达”,
“艾达:”,
“艾达”,
"111111111111"
]
}
}
}
]
}
试试这个:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::test-bucket",
"arn:aws:s3:::test-bucket/*"
],
"Condition": {
"StringNotLike": {
"aws:userId": [
"AIDA<udserid-1-suppressed>:*",
"AIDA<udserid-1-suppressed>",
"AIDA<udserid-2-suppressed>:*",
"AIDA<udserid-2-suppressed>",
"AIDA<udserid-n-suppressed>:*",
"AIDA<udserid-n-suppressed>",
"111111111111"
]
}
}
}
]
}
{
“版本”:“2012-10-17”,
“声明”:[
{
“效果”:“拒绝”,
“委托人”:“*”,
“行动”:“s3:*”,
“资源”:[
“arn:aws:s3:::测试桶”,
“arn:aws:s3:::测试桶/*”
],
“条件”:{
“StringNotLike”:{
“aws:userId”:[
“艾达:”,
“艾达”,
“艾达:”,
“艾达”,
“艾达:”,
“艾达”,
"111111111111"
]
}
}
}
]
}
太棒了。。我一直在尝试使用“aws:username”选项,但没有成功。很高兴它对你有用!请记住投票并接受答案。那太棒了。。我一直在尝试使用“aws:username”选项,但没有成功。很高兴它对你有用!请记住投票并接受答案。