【发布时间】:2016-11-08 01:43:57
【问题描述】:
(背景)目前,我正在尝试为任何需要我公司帐户的人制定一般政策,以便他们可以访问 AWS 上所需的任何内容,但能够更改自己的权限。那里的想法是为他们提供托管策略“PowerUserAccess”。此外,在他们的账户中,他们将拥有一个具有计费权限的 S3 存储桶“arn:aws:s3:::c3-uits-s3”。
(问题)我尝试将此 s3 存储桶设为只读,以便他们可以查看/下载他们的账单,但无法从存储桶上传/删除。我的第一次尝试是
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"NotAction": "iam:*",
"Resource": "*"
},
{
"Effect": "Deny",
"NotAction": [
"s3:List*",
"s3:Get*"
],
"Resource": [
"arn:aws:s3:::c3-uits-s3"
]
}
]
}
拒绝除 Get* 和 List* 之外的所有操作,但有了这些权限,我仍然能够上传/删除,所以我试图只从那里获得必要的权限,只查看而不做任何其他事情,我想出了
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"NotAction": "iam:*",
"Resource": "*"
},
{
"Effect": "Deny",
"NotAction": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::c3-uits-s3"
]
}
]
}
这仍然具有能够上传/删除的相同效果。我尝试的另一个变体是
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"NotAction": [
"iam:*",
"s3:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"NotResource": [
"arn:aws:s3:::c3-uits-s3"
]
},
{
"Effect": "Allow",
"Action": [
"s3:List*",
"s3:Get*"
],
"Resource": [
"arn:aws:s3:::c3-uits-s3"
]
}
]
}
和
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"NotAction": "iam:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:List*",
"s3:Get*"
],
"Resource": [
"arn:aws:s3:::c3-uits-s3"
]
},
{
"Effect": "Deny",
"Action": [
"s3:Put*",
"s3:Create*",
"s3:Delete*",
"s3:Replicate*"
],
"Resource": [
"arn:aws:s3:::c3-uits-s3"
]
}
]
}
任何正确方向的帮助或指示将不胜感激!
【问题讨论】:
标签: json amazon-web-services amazon-s3 permissions amazon-iam