(背景)目前我正试图为需要我公司帐户的任何人制定一项通用政策,以便他们可以访问他们在AWS上需要的任何内容,但不能更改他们自己的权限。这个想法是为他们提供托管策略“PowerUserAccess”。另外,在他们的账户中,他们将拥有一个拥有账单权限的S3存储桶,“arn:aws:s3 ::: c3-uits-s3”。如何构建IAM高级用户以对S3存储桶进行只读访问?
(问题)我试图让这个s3桶只读,以便他们可以看到/下载他们的账单,但是无法从桶中上传/删除。我第一次尝试是
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "NotAction": "iam:*", "Resource": "*" }, { "Effect": "Deny", "NotAction": [ "s3:List*", "s3:Get*" ], "Resource": [ "arn:aws:s3:::c3-uits-s3" ] } ] }
否认每一个动作,但获取*和列表*但这些权限我仍然能够上传/删除,所以我就先只从那里可以只查看所需的权限并没有别的,我想出了
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"NotAction": "iam:*",
"Resource": "*"
},
{
"Effect": "Deny",
"NotAction": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::c3-uits-s3"
]
}
]
}
哪些仍然有能够上传/删除相同的效果。我尝试另一个变化是
和
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"NotAction": "iam:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:List*",
"s3:Get*"
],
"Resource": [
"arn:aws:s3:::c3-uits-s3"
]
},
{
"Effect": "Deny",
"Action": [
"s3:Put*",
"s3:Create*",
"s3:Delete*",
"s3:Replicate*"
],
"Resource": [
"arn:aws:s3:::c3-uits-s3"
]
}
]
}
任何帮助或在正确的方向指针将不胜感激!