我的目标是允许一个用户将对象放入s3存储桶。我想过应用一个存储桶策略。我知道你不能拒绝PutObjects给所有用户,然后通过允许所谓的用户覆盖它。我曾希望使用条件“ArnNotEquals”从拒绝政策声明中排除单个用户:
"Statement": [
{
"Sid": "allow only OneUser to put objects",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::myBucket/*",
"Condition": {
"ArnNotEquals": {
"aws:SourceArn": "arn:aws:iam::123456789012:user/OneUser"
}
}
}
]
但是,这会导致将PutObjects拒绝给所有用户。我是在正确的轨道上吗?我可以为此制定一个桶策略吗?或者我是否需要寻找其他地方,例如ACL(Access Control List)?
答案 0 :(得分:6)
执行此操作的方法是使用NotPrincipal政策要素。它允许您将策略应用于除特定列表之外的所有原则。您的政策将成为:
"Statement": [
{
"Sid": "allow only OneUser to put objects",
"Effect": "Deny",
"NotPrincipal": {
"AWS": "arn:aws:iam::123456789012:user/OneUser"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::myBucket/*"
}
]
答案 1 :(得分:0)
试试这样.. SourceArn→Arn
"Statement": [
{
"Sid": "allow only OneUser to put objects",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::myBucket/*",
"Condition": {
"ArnNotEquals": {
"aws:Arn": "arn:aws:iam::123456789012:user/OneUser"
}
}
}
]