(背景)目前,我正试图为任何需要在我公司开设账户的人制定一个通用策略,以便他们可以访问AWS上所需的任何内容,但不能更改自己的权限。这里的想法是给他们管理策略"PowerUserAccess"。此外,在他们的帐户中,他们将有一个具有计费权限的S3桶,"arn:aws: S3:::c3- units - S3 "。
(问题)我已经尝试使这个s3桶只读,这样他们可以看到/下载他们的账单,但不能从桶上传/删除。我的第一个尝试是
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"NotAction": "iam:*",
"Resource": "*"
},
{
"Effect": "Deny",
"NotAction": [
"s3:List*",
"s3:Get*"
],
"Resource": [
"arn:aws:s3:::c3-uits-s3"
]
}
]
}
拒绝除Get*和List*以外的所有操作,但有了这些权限,我仍然能够上传/删除,所以我试图只从那里获得必要的权限,只查看,不做任何其他事情,我想出了
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"NotAction": "iam:*",
"Resource": "*"
},
{
"Effect": "Deny",
"NotAction": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::c3-uits-s3"
]
}
]
}
仍然有同样的效果,可以上传/删除。我尝试的另一个变体是
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"NotAction": [
"iam:*",
"s3:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"NotResource": [
"arn:aws:s3:::c3-uits-s3"
]
},
{
"Effect": "Allow",
"Action": [
"s3:List*",
"s3:Get*"
],
"Resource": [
"arn:aws:s3:::c3-uits-s3"
]
}
]
}
和
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"NotAction": "iam:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:List*",
"s3:Get*"
],
"Resource": [
"arn:aws:s3:::c3-uits-s3"
]
},
{
"Effect": "Deny",
"Action": [
"s3:Put*",
"s3:Create*",
"s3:Delete*",
"s3:Replicate*"
],
"Resource": [
"arn:aws:s3:::c3-uits-s3"
]
}
]
}
任何帮助或指针在正确的方向将不胜感激!
桶的Resource为"arn:aws:s3:::bucket-name",而桶中的对象的Resource为"arn:aws:s3:::bucket-name/*"。