我有一个桶有几个公共可下载的文件。 我想build立一个桶策略,之后这些文件只能由我的IAM用户下载。 我目前得到的政策是这样的:
{ "Version": "2008-10-17", "Id": "Policy1424952346041", "Statement": [ { "Sid": "Stmt1424958477350", "Effect": "Deny", "NotPrincipal": { "AWS": "arn:aws:iam::777777777777:root" }, "Action": "s3:*", "Resource": "arn:aws:s3:::test/*" }, { "Sid": "Stmt1424958477351", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::777777777777:root" }, "Action": "s3:*", "Resource": "arn:aws:s3:::test/*" } ] } 但是,它拒绝包括IAM用户在内的每个人。 任何人都可以指出这里有什么问题吗?
根据您在帐户中拥有多less个IAM用户,您可以按如下方式在两个语句中指定帐户(尝试一个或两个作为testing来查看它是否有效)。 在过去,我得到了arn:aws:iam :: XXXXXXXXXXXX:root来覆盖所有IAM帐户的问题。 您也可以尝试指定IAM用户并删除根条目。
{ "Version": "2008-10-17", "Id": "Policy1424952346041", "Statement": [ { "Sid": "Stmt1424958477350", "Effect": "Deny", "NotPrincipal": { "AWS": [ "arn:aws:iam::777777777777:root", "arn:aws:iam::777777777777:user/user1", "arn:aws:iam::777777777777:user/user2" ] }, "Action": "s3:*", "Resource": "arn:aws:s3:::test/*" }, { "Sid": "Stmt1424958477351", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::777777777777:root", "arn:aws:iam::777777777777:user/user1", "arn:aws:iam::777777777777:user/user2" ] }, "Action": "s3:*", "Resource": "arn:aws:s3:::test/*" } ] }