Jud*_*udi 5 amazon-s3 amazon-iam aws-cdk
我正在尝试使用 CDK 创建 S3 存储桶。桶已经创造得很好。但是,当我尝试添加以下 IAM 策略时,创建失败 - API: s3:PutBucketPolicy 访问被拒绝
TestBucket.addToResourcePolicy(new iam.PolicyStatement({
actions: [ 's3:*'],
effect: iam.Effect.DENY,
principals: [ new iam.AnyPrincipal],
resources: [TestBucket.bucketArn+'/*'],
conditions: {
"Bool": {
"aws:SecureTransport": "false"
}
},
我运行此代码的用户具有管理员权限。可能是什么问题 ?
用于创建 S3 存储桶并将资源策略设置为仅允许 HTTPS 的示例 CDK 代码。
import * as cdk from "@aws-cdk/core";
import * as s3 from "@aws-cdk/aws-s3";
import * as iam from "@aws-cdk/aws-iam";
export class TestS3Stack extends cdk.Stack {
constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
this.simpleS3();
}
simpleS3() {
const myBucket = new s3.Bucket(this, "my-bucket", {
bucketName: "my-test-bucket-balu",
blockPublicAccess: {
blockPublicAcls: true,
blockPublicPolicy: true,
ignorePublicAcls: true,
restrictPublicBuckets: true,
},
});
myBucket.addToResourcePolicy(
new iam.PolicyStatement({
actions: ["s3:*"],
effect: iam.Effect.DENY,
principals: [new iam.AnyPrincipal()],
resources: [myBucket.bucketArn, myBucket.bucketArn + "/*"],
conditions: {
Bool: {
"aws:SecureTransport": "false",
},
},
})
);
}
}
除非有服务控制策略阻止管理员用户使用 PutBucketPolicy,否则我们在创建仅阻止 http 请求的存储桶策略时不应收到错误。
我们可以通过尝试从 cli 放置存储桶策略来检查是否存在权限问题
aws s3api put-bucket-policy --bucket my-test-bucket --policy '{"版本": "2012-10-17","声明": [{"效果": "拒绝","主体": " ","操作": "s3: ","资源": "arn:aws:s3:::my-test-bucket/*","条件": {"Bool": {"aws:SecureTransport": “错误的”}}}]}'
| 归档时间: |
|
| 查看次数: |
2810 次 |
| 最近记录: |