1

我为 SNS 主题设置了如下所示的访问策略。我以为我只允许user2订阅该主题,但user1可以订阅该主题。我怎样才能为我想做的事情配置这个?

{
  "Version": "2008-10-17",
  "Id": "__default_policy_ID",
  "Statement": [
    {
      "Sid": "__console_pub_0",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::${account_id}:user/user1"
      },
      "Action": "SNS:Publish",
      "Resource": "arn:aws:sns:eu-west-2:${account_id}:topic1"
    },
    {
      "Sid": "__console_sub_0",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::${account_id}:user/user2"
      },
      "Action": [
        "SNS:Subscribe",
        "SNS:Receive"
      ],
      "Resource": "arn:aws:sns:eu-west-2:${account_id}:topic1"
    }
  ]
}
4

1 回答 1

2

User1 可以订阅,因为它有一个允许该操作的基于身份的策略(完整的 SNS 权限)。如果您查看策略评估逻辑,您将看到基于资源的策略(您添加到 SNS 主题的策略)和基于身份的策略(您添加到 user1 的完整 SNS 权限)都足以允许访问。

当 user1 尝试订阅该主题时,IAM 会查看这两个策略。主题策略不适用,但 SNS 完全访问权限适用,因此允许该操作。

如果要确保 user1 不能订阅,可以在 SNS 主题中添加拒绝策略:

    {
      "Effect": "Deny",
      "Principal": {
        "AWS": "arn:aws:iam::${account_id}:user/user1"
      },
      "Action": [
        "SNS:Subscribe",
        "SNS:Receive"
      ],
      "Resource": "arn:aws:sns:eu-west-2:${account_id}:topic1"
    }

如果您添加此语句,当 user1 尝试订阅时,IAM 将看到有匹配的 Deny 语句并拒绝该请求。

如果要确保只有user2 可以订阅,可以使用 NotPrincipal 并拒绝:

    {
      "Effect": "Deny",
      "NotPrincipal": {
        "AWS": "arn:aws:iam::${account_id}:user/user2"
      },
      "Action": [
        "SNS:Subscribe",
        "SNS:Receive"
      ],
      "Resource": "arn:aws:sns:eu-west-2:${account_id}:topic1"
    }

这匹配user2 之外的所有用户并拒绝订阅,无论他们可能有什么其他策略。

于 2020-09-26T16:09:15.280 回答