我有一个存储桶策略,该策略可以正常工作,以限制对某个IP的存储桶的访问,但是我实际上想拒绝将存储桶本身或存储桶仅列出特定的IP。
除清单外,我可以使用所有其他功能。我可以拒绝列出存储分区的内容,进行上传,下载,但是不能拒绝执行诸如Get-S3Bucket -BucketName "bucket"
我当前的政策:
{
"Version": "2012-10-17",
"Id": "bucket-policy",
"Statement": [
{
"Sid": "IPDeny",
"Effect": "Deny",
"Principal": "*",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::bucketName/*",
"arn:aws:s3:::bucketName"
],
"Condition": {
"NotIpAddress": {
"aws:SourceIp": ["1.2.3.4.5","6.7.8.9"]
}
}
}
]
}
答案 0 :(得分:0)
该问题特定于PowerShell工具包。我了解到Get-S3Bucket实际上运行了一个“ s3集合” ,我相信其中包括以下内容:
s3:ListBucket,
s3:ListAllMyBuckets,
s3:HeadBucket
所以对我来说,不是存储桶策略,而是IAM用户策略。
我通过用户政策如下解决了该问题:
{
"Sid": "listBuckets",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:ListAllMyBuckets",
"s3:HeadBucket"
],
"Resource": "*",
"Condition": {
"IpAddress": {
"aws:SourceIp": ["1.2.3.4","5.6.7.8"]
}
}
}