我有一个S3桶,我想允许通过特定用户代理的任何人访问。同时,我想允许访问一组AWS帐户id(不需要通过用户代理进行访问)
我已经有了满足这两个条件的2个策略,但是我想为桶有一个满足这两个条件的策略。
允许基于用户代理(user_agent1, user_agent2)访问的第一个策略
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "allow-username-and-password-access",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::dumps/*",
"Condition": {
"ForAllValues:StringNotEquals": {
"aws:UserAgent": [
"user_agent1",
"user_agent2"
]
}
}
}
]
}
允许基于帐户ID(1和2)访问的第二个桶策略
{
"Version": "2012-10-17",
"Id": "Policy1606557924566",
"Statement": [
{
"Sid": "Stmt1606557921184",
"Effect": "Allow",
"Principal": {
"AWS": ["arn:aws:iam::1:user","arn:aws:iam::2:user"]
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::dumps/*"
}
]
}
在简单的英语中,我希望访问被允许,如果帐户ID是1或2,或者如果用户传递user_agent1或user_agent2作为用户代理(从任何帐户ID)
我如何构建一个桶策略?
可以有多条语句在一个策略中:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "allow-username-and-password-access",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::dumps/*",
"Condition": {
"ForAllValues:StringNotEquals": {
"aws:UserAgent": [
"user_agent1",
"user_agent2"
]
}
}
},
{
"Sid": "Stmt1606557921184",
"Effect": "Allow",
"Principal": {
"AWS": ["arn:aws:iam::1:user","arn:aws:iam::2:user"]
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::dumps/*"
}
]
}