0

我有以下用户配置:

namespace: s3test
user:      s3test
  subuser:   backup (set up with s3 credentials instead of swift)

我想定义一个存储桶策略,明确阻止备份用户将其放入hedgehogss3test用户创建的名为 的存储桶中:

{
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "DenyPutToHedgehogsForBackup",
                "Effect": "Deny",
                "Principal": {
                    "CanonicalUser": "s3test:backup"
                },
                "Action": ["s3:PutObject"],
                "Resource": [
                    "arn:aws:s3:::hedgehogs/*"
                ]
            }
        ]
}

但是,这似乎阻止了s3test和。s3test:backuphedgehogs

我的策略语法是否有问题,或者这是否意味着配置了 s3 凭据的子用户只是使用主用户权限访问 s3 的另一种方式?

4

1 回答 1

1

您的存储桶策略应如下所示:

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Deny",
    "Principal": {"AWS": ["arn:aws:iam:::user/s3test:backup"]},
    "Action": "s3:PutObject",
    "Resource": [
      "arn:aws:s3:::hedgehogs/*"
    ]
  }]
}
于 2020-11-05T00:58:58.987 回答