以下似乎是拒绝语句的无效主体:
"Principal" : {
"AWS" : [
"arn:aws:iam::123412341234:*"
]
}
假设 123412341234 是我们的帐户 ID。
这个怎么设置?下面似乎可行,但意味着必须明确列出来自外部帐户的所有相关 arn:
"NotPrincipal" : {
"AWS" : [
"arn:aws:iam::111112341234:role/blar1",
"arn:aws:iam::111112341234:role/blar2",
"arn:aws:iam::111112341234:root",
"arn:aws:iam::555552341234:role/blar3",
"arn:aws:iam::555552341234:root",
]
}
事实上,根据https://aws.amazon.com/blogs/security/how-to-restrict-amazon-s3-bucket-access-to-a-specific-iam-role/这甚至行不通,因为我必须包括assumed-role
无法提前知道的arns。
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notprincipal.html