小贝子编程

如何设置AWS S3策略,其中Principals是特定AWS帐户中的所有主体



以下内容似乎是Deny语句的无效主体:

"Principal" : {
"AWS" : [
"arn:aws:iam::123412341234:*"
]
}

假设1234 1234 1234是我们的帐户id。

如何设置?下面似乎可以工作,但意味着必须明确列出来自外部帐户的所有相关arn:

"NotPrincipal" : {
"AWS" : [
"arn:aws:iam::111112341234:role/blar1",
"arn:aws:iam::111112341234:role/blar2",
"arn:aws:iam::111112341234:root",
"arn:aws:iam::555552341234:role/blar3",
"arn:aws:iam::555552341234:root",
]
}

事实上,根据https://aws.amazon.com/blogs/security/how-to-restrict-amazon-s3-bucket-access-to-a-specific-iam-role/这甚至不起作用,因为我必须包括无法提前知道的assumed-rolearns。

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notprincipal.html

这似乎有效:

"Principal" : {
"AWS" : [
"*"
]
}
"Condition" : {
"ArnLike" : {
"aws:PrincipalArn" : [
"arn:aws:iam::123412341234:*"
]
}
}

相关内容

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium