我有一個儲存桶,裡面有幾個可公開下載的檔案。我想制定一個儲存桶策略,之後這些檔案只能由我的 IAM 用戶下載。到目前為止我得到的政策是這樣的:
{
"Version": "2008-10-17",
"Id": "Policy1424952346041",
"Statement": [
{
"Sid": "Stmt1424958477350",
"Effect": "Deny",
"NotPrincipal": {
"AWS": "arn:aws:iam::777777777777:root"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::test/*"
},
{
"Sid": "Stmt1424958477351",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::777777777777:root"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::test/*"
}
]
}
然而,它否定了包括 IAM 用戶在內的所有人。誰能指出這裡有什麼問題嗎?
答案1
根據您在帳戶中擁有的 IAM 使用者數量,您可以在兩個語句中指定帳戶,如下所示(嘗試一兩個只是作為測試,看看它是否有效)。我過去在獲取 arn:aws:iam::XXXXXXXXXXXX:root 以實際覆蓋所有 IAM 帳戶時遇到過問題。您也可以嘗試僅指定 IAM 使用者並刪除根條目。
{
"Version": "2008-10-17",
"Id": "Policy1424952346041",
"Statement": [
{
"Sid": "Stmt1424958477350",
"Effect": "Deny",
"NotPrincipal": {
"AWS": [
"arn:aws:iam::777777777777:root",
"arn:aws:iam::777777777777:user/user1",
"arn:aws:iam::777777777777:user/user2" ]
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::test/*"
},
{
"Sid": "Stmt1424958477351",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::777777777777:root",
"arn:aws:iam::777777777777:user/user1",
"arn:aws:iam::777777777777:user/user2" ]
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::test/*"
}
]
}