【发布时间】:2016-03-02 15:39:01
【问题描述】:
我正在与我的 IT 团队合作,以限制我的用户帐户(在根帐户下),使其无法访问我不想访问的 S3 存储桶。启用 AWSLambdaFullAccess 策略时,它可以完全访问许多 AWS 功能,包括所有 S3。这是 AWSLambdaFullAccess 政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudwatch:*",
"cognito-identity:ListIdentityPools",
"cognito-sync:GetCognitoEvents",
"cognito-sync:SetCognitoEvents",
"dynamodb:*",
"events:*",
"iam:ListAttachedRolePolicies",
"iam:ListRolePolicies",
"iam:ListRoles",
"iam:PassRole",
"kinesis:DescribeStream",
"kinesis:ListStreams",
"kinesis:PutRecord",
"lambda:*",
"logs:*",
"s3:*",
"sns:ListSubscriptions",
"sns:ListSubscriptionsByTopic",
"sns:ListTopics",
"sns:Subscribe",
"sns:Unsubscribe"
],
"Resource": "*"
}
]
}
大部分都很好。我如何将其更改为新策略,以便我只能访问“arn:aws:s3:::lambda-scripts”存储桶?
【问题讨论】:
标签: amazon-web-services amazon-s3 aws-lambda