以下内容似乎是Deny语句的无效主体:
"Principal" : {
"AWS" : [
"arn:aws:iam::123412341234:*"
]
}
假设1234 1234 1234是我们的帐户id。
如何设置?下面似乎可以工作,但意味着必须明确列出来自外部帐户的所有相关arn:
"NotPrincipal" : {
"AWS" : [
"arn:aws:iam::111112341234:role/blar1",
"arn:aws:iam::111112341234:role/blar2",
"arn:aws:iam::111112341234:root",
"arn:aws:iam::555552341234:role/blar3",
"arn:aws:iam::555552341234:root",
]
}
事实上,根据https://aws.amazon.com/blogs/security/how-to-restrict-amazon-s3-bucket-access-to-a-specific-iam-role/这甚至不起作用,因为我必须包括无法提前知道的assumed-role
arns。
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notprincipal.html
这似乎有效:
"Principal" : {
"AWS" : [
"*"
]
}
"Condition" : {
"ArnLike" : {
"aws:PrincipalArn" : [
"arn:aws:iam::123412341234:*"
]
}
}