我有一个存储桶,里面有几个文件可以公开下载。我想制定一个存储桶策略,规定这些文件只能由我的 IAM 用户下载。到目前为止,我制定的策略如下:
{
"Version": "2008-10-17",
"Id": "Policy1424952346041",
"Statement": [
{
"Sid": "Stmt1424958477350",
"Effect": "Deny",
"NotPrincipal": {
"AWS": "arn:aws:iam::777777777777:root"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::test/*"
},
{
"Sid": "Stmt1424958477351",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::777777777777:root"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::test/*"
}
]
}
但是,它拒绝了包括 IAM 用户在内的所有人。有人能指出这里出了什么问题吗?
答案1
根据账户中 IAM 用户的数量,您可以按如下方式在两个语句中指定账户(尝试一两个作为测试,看看是否有效)。我过去曾遇到过 arn:aws:iam::XXXXXXXXXXXX:root 无法真正覆盖所有 IAM 账户的问题。您也可以尝试仅指定 IAM 用户并删除 root 条目。
{
"Version": "2008-10-17",
"Id": "Policy1424952346041",
"Statement": [
{
"Sid": "Stmt1424958477350",
"Effect": "Deny",
"NotPrincipal": {
"AWS": [
"arn:aws:iam::777777777777:root",
"arn:aws:iam::777777777777:user/user1",
"arn:aws:iam::777777777777:user/user2" ]
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::test/*"
},
{
"Sid": "Stmt1424958477351",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::777777777777:root",
"arn:aws:iam::777777777777:user/user1",
"arn:aws:iam::777777777777:user/user2" ]
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::test/*"
}
]
}