我正在尝试编写 AWS S3 存储桶策略,拒绝所有流量,除非来自两个 VPC。我正在尝试编写的策略如下所示,在两者之间使用逻辑 AND StringNotEquals
(除非它是无效的政策):
{
"Version": "2012-10-17",
"Id": "Policy1415115909152",
"Statement": [
{
"Sid": "Allow-access-only-from-two-VPCs",
"Action": "s3:*",
"Effect": "Deny",
"Resource": ["arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"],
"Condition": {
"StringNotEquals": {
"aws:sourceVpc": "vpc-111bbccc"
},
"StringNotEquals": {
"aws:sourceVpc": "vpc-111bbddd"
}
},
"Principal": "*"
}
]
}
如果我使用这个:
"StringNotEquals": {
"aws:sourceVpc": ["vpc-111bbccc", "vpc-111bbddd"]
}
然后至少有一个字符串比较返回 true,并且 S3 存储桶无法从任何地方访问。
最佳答案
以前从未尝试过。但以下应该有效。发件人:Using IAM Policy Conditions for Fine-Grained Access Control
"Condition": {
"ForAllValues:StringNotEquals": {
"aws:sourceVpc": [
"vpc-111bbccc",
"vpc-111bbddd"
]
},
关于amazon-web-services - 如何在 AWS 策略中提供多个 StringNotEquals 条件?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/46062084/