默认情况下,我们的用户通过 IAM 拥有完整的 S3 访问权限,我有一个存储桶,但我需要限制对某一特定用户的访问,并阻止所有其他用户。
我在这里遵循了本指南https://aws.amazon.com/premiumsupport/knowledge-center/explicit-deny-principal-elements-s3/
并制定了此存储桶策略 -
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::XXXXXXXXXXXX:user/USERWHONEEDSACCESS"
]
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::NAMEOFBUCKET/*"
},
{
"Sid": "",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::NAMEOFBUCKET/*",
"Condition": {
"StringNotLike": {
"aws:userid": "USERWHONEEDSACCESS:*"
}
}
}
]
}
但是它不起作用。有什么建议吗?
最佳答案
您可以尝试以下操作:
{
"Version": "2012-10-17",
"Statement": [
{
"Principal": {
"AWS": [
"arn:aws:iam::XXXXXXXXXXXX:user/USERWHONEEDSACCESS"
]
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::nameofbucket/*",
"arn:aws:s3:::nameofbucket"
],
"Effect": "Allow"
},
{
"NotPrincipal": {
"AWS": [
"arn:aws:iam::XXXXXXXXXXXX:user/USERWHONEEDSACCESS"
]
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::nameofbucket/*",
"arn:aws:s3:::nameofbucket"
],
"Effect": "Deny"
}
]
}
在 How to Restrict Amazon S3 Bucket Access to a Specific IAM Role您可以阅读有关使用 NotPrincipal
和限制对单个 IAM 用户
的访问的博客文章,具体来说:
You can use the NotPrincipal element of an IAM or S3 bucket policy to limit resource access to a specific set of users. This element allows you to block all users who are not defined in its value array, even if they have an Allow in their own IAM user policies.
为了生成此策略代码片段,我使用了:https://asecure.cloud/a/s3_restrict_iam_user/我用您的示例值预先填充了 iamPrincipal
和 bucketName
参数。
关于amazon-web-services - AWS 存储桶策略 - 使用存储桶策略限制对存储桶的访问,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/70862996/