我正在尝试使用CDK创建一个S3存储桶。水桶创造了美好。但是,当我尝试添加以下IAM策略时,创建失败-API:s3:PutBucketPolicy Access Denied
TestBucket.addToResourcePolicy(new iam.PolicyStatement({
actions: [ 's3:*'],
effect: iam.Effect.DENY,
principals: [ new iam.AnyPrincipal],
resources: [TestBucket.bucketArn+'/*'],
conditions: {
"Bool": {
"aws:SecureTransport": "false"
}
},
我运行此代码的用户拥有管理员权限。可能是什么问题?
示例CDK代码以创建S3 Bucket并将资源策略设置为仅允许HTTPS。
import * as cdk from "@aws-cdk/core";
import * as s3 from "@aws-cdk/aws-s3";
import * as iam from "@aws-cdk/aws-iam";
export class TestS3Stack extends cdk.Stack {
constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
this.simpleS3();
}
simpleS3() {
const myBucket = new s3.Bucket(this, "my-bucket", {
bucketName: "my-test-bucket-balu",
blockPublicAccess: {
blockPublicAcls: true,
blockPublicPolicy: true,
ignorePublicAcls: true,
restrictPublicBuckets: true,
},
});
myBucket.addToResourcePolicy(
new iam.PolicyStatement({
actions: ["s3:*"],
effect: iam.Effect.DENY,
principals: [new iam.AnyPrincipal()],
resources: [myBucket.bucketArn, myBucket.bucketArn + "/*"],
conditions: {
Bool: {
"aws:SecureTransport": "false",
},
},
})
);
}
}
除非有一个服务控制策略阻止管理员用户访问PutBucketPolicy,否则在创建一个只阻止http请求的bucket策略时,我们不应该出现错误。
我们可以通过尝试cli 的put bucket策略来检查是否存在权限问题
aws s3api放入bucket策略--bucket我的测试bucket--策略"{"版本:"2012-10-17","声明":[{"效果:"拒绝","主体":">"动作":"s3:"资源":"arn:aws:s3:::我的测试桶/*"条件":{"Bool":{"aws:SecureTransport":"false"}}}]}'