我正在尝试将 MFA 策略添加到为云跟踪创建的现有策略中,以将跟踪日志放入 S3 存储桶中,
这些是我尝试过的事情:
- 如果我在我的 MFA 策略中使用“*”原则,它基本上会拒绝所有内容,即使是放置日志的路径
- 如果我使用“NotPrincpal”并在 MFA 策略主体中定义服务,它仍然拒绝云试用放置日志;根据文档“您还必须指定未拒绝委托人的账户 ARN。否则,该策略可能会拒绝对包含委托人的整个账户的访问。根据您在策略中包含的服务,AWS 可能会验证该账户首先是用户。”
- 我能想到的唯一方法是在原则中添加所有用户,如果我们有数百个用户,这不是一种实用的方法。
除了第三个选项,我还有什么办法可以做到这一点
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSCloudTrailAclCheck20151319",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::cloudtrail-2-15-2021-logs"
},
{
"Sid": "AWSCloudTrailWrite20151319",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::cloudtrail-2-15-2021-logs/AWS SOC Monitering/AWSLogs/AWSIDXXX/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
},
{
"Sid": "MFApolicy1",
"Effect": "Deny",
"Principal": {
"AWS": [
"arn:aws:iam::AWSIDXXX:user/ADMIN",
"arn:aws:iam::AWSIDXXX:user/View_testuser",
"arn:aws:iam::AWSIDXXX:user/Security_Auditor"
]
},
"Action": [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::cloudtrail-2-15-2021-logs/*",
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
]
}