4

我的目标是允许一个用户将对象放入 s3 存储桶中。我想到了应用存储桶策略。我知道您不能拒绝所有用户的 PutObjects,然后通过允许所需用户覆盖它。我曾希望使用条件“ArnNotEquals”从拒绝策略声明中排除单个用户:

"Statement": [
    {
        "Sid": "allow only OneUser to put objects",
        "Effect": "Deny",
        "Principal": {
            "AWS": "*"
        },
        "Action": "s3:PutObject",
        "Resource": "arn:aws:s3:::myBucket/*",
        "Condition": {
            "ArnNotEquals": {
                "aws:SourceArn": "arn:aws:iam::123456789012:user/OneUser"
            }
        }
    }
]

但是,这会导致向所有用户拒绝 PutObjects。我在正确的轨道上吗?我可以为此制定一个桶策略吗?还是我需要查看其他地方,例如 ACL(访问控制列表)?

4

2 回答 2

8

这样做的方法是使用NotPrincipal策略元素。它允许您将策略应用于除特定列表之外的所有原则。您的政策将变为:

"Statement": [
    {
        "Sid": "allow only OneUser to put objects",
        "Effect": "Deny",
        "NotPrincipal": {
            "AWS": "arn:aws:iam::123456789012:user/OneUser"
        },
        "Action": "s3:PutObject",
        "Resource": "arn:aws:s3:::myBucket/*"
    }
]
于 2015-03-17T16:18:59.053 回答
0

像这样尝试.. SourceArn → Arn

"Statement": [
    {
        "Sid": "allow only OneUser to put objects",
        "Effect": "Deny",
        "Principal": {
            "AWS": "*"
        },
        "Action": "s3:PutObject",
        "Resource": "arn:aws:s3:::myBucket/*",
        "Condition": {
            "ArnNotEquals": {
                "aws:Arn": "arn:aws:iam::123456789012:user/OneUser"
            }
        }
    }
]
于 2018-03-26T09:05:36.573 回答