Adi*_*ari 5 amazon-s3 amazon-web-services
我有一个包含多个可公开下载的文件的存储桶。我想制定一个存储桶策略,之后这些文件只能由我的 IAM 用户下载。到目前为止我得到的政策是这样的:
{
"Version": "2008-10-17",
"Id": "Policy1424952346041",
"Statement": [
{
"Sid": "Stmt1424958477350",
"Effect": "Deny",
"NotPrincipal": {
"AWS": "arn:aws:iam::777777777777:root"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::test/*"
},
{
"Sid": "Stmt1424958477351",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::777777777777:root"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::test/*"
}
]
}
但是,它拒绝了包括 IAM 用户在内的所有人。任何人都可以指出这里有什么问题吗?
根据您在账户中拥有的 IAM 用户数量,您可以在两个语句中指定账户,如下所示(尝试一两个只是作为测试,看看它是否有效)。我过去在获取 arn:aws:iam::XXXXXXXXXXXX:root 以实际覆盖所有 IAM 账户时遇到过问题。您还可以尝试仅指定 IAM 用户并删除根条目。
{
"Version": "2008-10-17",
"Id": "Policy1424952346041",
"Statement": [
{
"Sid": "Stmt1424958477350",
"Effect": "Deny",
"NotPrincipal": {
"AWS": [
"arn:aws:iam::777777777777:root",
"arn:aws:iam::777777777777:user/user1",
"arn:aws:iam::777777777777:user/user2" ]
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::test/*"
},
{
"Sid": "Stmt1424958477351",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::777777777777:root",
"arn:aws:iam::777777777777:user/user1",
"arn:aws:iam::777777777777:user/user2" ]
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::test/*"
}
]
}
| 归档时间: |
|
| 查看次数: |
759 次 |
| 最近记录: |