拒绝 AWS S3 中的匿名下载

拒绝 AWS S3 中的匿名下载

我有一个存储桶,里面有几个文件可以公开下载。我想制定一个存储桶策略,规定这些文件只能由我的 IAM 用户下载。到目前为止,我制定的策略如下:

{
    "Version": "2008-10-17",
    "Id": "Policy1424952346041",
    "Statement": [
        {
            "Sid": "Stmt1424958477350",
            "Effect": "Deny",
            "NotPrincipal": {
                "AWS": "arn:aws:iam::777777777777:root"
            },
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::test/*"
        },
        {
            "Sid": "Stmt1424958477351",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::777777777777:root"
            },
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::test/*"
        }
    ]
}

但是,它拒绝了包括 IAM 用户在内的所有人。有人能指出这里出了什么问题吗?

答案1

根据账户中 IAM 用户的数量,您可以按如下方式在两个语句中指定账户(尝试一两个作为测试,看看是否有效)。我过去曾遇到过 arn:aws:iam::XXXXXXXXXXXX:root 无法真正覆盖所有 IAM 账户的问题。您也可以尝试仅指定 IAM 用户并删除 root 条目。

{
    "Version": "2008-10-17",
    "Id": "Policy1424952346041",
    "Statement": [
        {
            "Sid": "Stmt1424958477350",
            "Effect": "Deny",
            "NotPrincipal": {
                "AWS": [
                        "arn:aws:iam::777777777777:root",
                        "arn:aws:iam::777777777777:user/user1", 
                        "arn:aws:iam::777777777777:user/user2" ]
            },
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::test/*"
        },
        {
            "Sid": "Stmt1424958477351",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                        "arn:aws:iam::777777777777:root",
                        "arn:aws:iam::777777777777:user/user1",
                        "arn:aws:iam::777777777777:user/user2" ]
            },
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::test/*"
        }
    ]
}

相关内容