我有以下用户配置:
namespace: s3test
user: s3test
subuser: backup (set up with s3 credentials instead of swift)
我想定义一个bucket策略,明确防止备份用户将其放入由s3test
用户创建的名为hedgehogs
的bucket中:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyPutToHedgehogsForBackup",
"Effect": "Deny",
"Principal": {
"CanonicalUser": "s3test:backup"
},
"Action": ["s3:PutObject"],
"Resource": [
"arn:aws:s3:::hedgehogs/*"
]
}
]
}
然而,这似乎阻止了s3test
和s3test:backup
都将其置于hedgehogs
。
我的策略语法有问题吗?或者这意味着使用s3凭据配置的子用户只是使用主用户权限访问s3的另一种方式?
您的bucket策略应该是这样的:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Deny",
"Principal": {"AWS": ["arn:aws:iam:::user/s3test:backup"]},
"Action": "s3:PutObject",
"Resource": [
"arn:aws:s3:::hedgehogs/*"
]
}]
}