我试图限制S3存储桶访问几个不同子网内的EC2实例:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Principal": {"AWS": "*"},
"Resource": [
"arn:aws:s3:::test.bucket",
"arn:aws:s3:::test.bucket/*"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"192.168.129.64/27",
"192.168.129.96/27",
"192.168.128.64/26"
]
}
}
},
{
"Effect": "Deny",
"Action": "s3:*",
"Principal": {"AWS": "*"},
"Resource": [
"arn:aws:s3:::test.bucket",
"arn:aws:s3:::test.bucket/*"
],
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"192.168.129.64/27",
"192.168.129.96/27",
"192.168.128.64/26"
]
}
}
}
]
}
我知道这个政策的特殊性存在其他问题,但除了条件之外,我试图尽可能地让它成为可能.不幸的是,尝试aws s3 ls s3://test.bucket使用IP地址的ec2实例中的简单操作192.168.129.100失败并拒绝访问.这项政策有效地锁定了我.
我不知道我错过了什么.我甚至试过前面加上ForAnyValue和ForAllValues到IpAddress和NotIpAddress条件.