1

我正在尝试将 MFA 策略添加到为云跟踪创建的现有策略中,以将跟踪日志放入 S3 存储桶中,

这些是我尝试过的事情:

  1. 如果我在我的 MFA 策略中使用“*”原则,它基本上会拒绝所有内容,即使是放置日志的路径
  2. 如果我使用“NotPrincpal”并在 MFA 策略主体中定义服务,它仍然拒绝云试用放置日志;根据文档“您还必须指定未拒绝委托人的账户 ARN。否则,该策略可能会拒绝对包含委托人的整个账户的访问。根据您在策略中包含的服务,AWS 可能会验证该账户首先是用户。”
  3. 我能想到的唯一方法是在原则中添加所有用户,如果我们有数百个用户,这不是一种实用的方法。

除了第三个选项,我还有什么办法可以做到这一点

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AWSCloudTrailAclCheck20151319",
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudtrail.amazonaws.com"
            },
            "Action": "s3:GetBucketAcl",
            "Resource": "arn:aws:s3:::cloudtrail-2-15-2021-logs"
        },
        {
            "Sid": "AWSCloudTrailWrite20151319",
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudtrail.amazonaws.com"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::cloudtrail-2-15-2021-logs/AWS SOC Monitering/AWSLogs/AWSIDXXX/*",
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control"
                }
            }
        },
        {
            "Sid": "MFApolicy1",
            "Effect": "Deny",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::AWSIDXXX:user/ADMIN",
                    "arn:aws:iam::AWSIDXXX:user/View_testuser",
                    "arn:aws:iam::AWSIDXXX:user/Security_Auditor"
                ]
            },
            "Action": [
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:DeleteObject"
            ],
            "Resource": "arn:aws:s3:::cloudtrail-2-15-2021-logs/*",
            "Condition": {
                "Bool": {
                    "aws:MultiFactorAuthPresent": "false"
                }
            }
        }
    ]
}
4

0 回答 0