因此,我有 2 个策略几乎做同样的事情,但一个有效,一个不在 IAM 策略模拟器中,即使我在两个查询中将 ARN 和 IpAddress 设置为相同;
工作政策;
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt",
"Effect": "Deny",
"Action": [
"kms:Decrypt"
],
"Resource": [
"*"
]
},
{
"Sid": "Stmt",
"Effect": "Allow",
"Action": "kms:Encrypt",
"Resource": [
"arn:aws:kms:us-east-1:11111111:key/bla-bla"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"12.12.12.12",
]
}
}
}
]
}
然后我将 Allow on encrypt 反转为 Deny 并切换IpAddress到NotIpAddress;
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt",
"Effect": "Deny",
"Action": [
"kms:Decrypt"
],
"Resource": [
"*"
]
},
{
"Sid": "Stmt",
"Effect": "Deny",
"Action": "kms:Encrypt",
"Resource": [
"arn:aws:kms:us-east-1:11111111:key/bla-bla"
],
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"12.12.12.12",
]
}
}
}
]
}
后一个不起作用,我很困惑为什么,任何见解?!
返回的错误消息是Implicitly denied (no matching statements),我将其解释为“您没有指定允许,因此您无权访问它”,但我实际上对我正在使用的另一个键有相同的实现,它工作正常。