如何在AWS策略中提供多个StringNotEquals条件? [英] How to provide multiple StringNotEquals conditions in AWS policy?

问题描述

我正在尝试编写AWS S3存储桶策略，该策略拒绝所有流量(除非来自两个VPC的流量除外).我尝试编写的策略看起来像下面的策略，两个StringNotEquals之间是逻辑AND(除非它是无效的策略):

I am trying to write AWS S3 bucket policy that denies all traffic except when it comes from two VPCs. The policy I'm trying to write looks like the one below, with a logical AND between the two StringNotEquals (except it's an invalid policy):

{
   "Version": "2012-10-17",
   "Id": "Policy1415115909152",
   "Statement": [
     {
       "Sid": "Allow-access-only-from-two-VPCs",
       "Action": "s3:*",
       "Effect": "Deny",
       "Resource": ["arn:aws:s3:::my-bucket",
                    "arn:aws:s3:::my-bucket/*"],
       "Condition": {
         "StringNotEquals": {
           "aws:sourceVpc": "vpc-111bbccc"
         },
         "StringNotEquals": {
           "aws:sourceVpc": "vpc-111bbddd"
         }
       },
       "Principal": "*"
     }
   ]
}

如果我使用这个:

"StringNotEquals": {
       "aws:sourceVpc": ["vpc-111bbccc", "vpc-111bbddd"]
     }

然后至少有一个字符串比较返回true，并且无法从任何位置访问S3存储桶.

then at least one of the string comparisons returns true and the S3 bucket is not accessible from anywhere.

推荐答案

以前从未尝试过.来自:使用IAM策略条件进行细粒度的访问控制

Never tried this before.But the following should work. From: Using IAM Policy Conditions for Fine-Grained Access Control

    "Condition": {
        "ForAllValues:StringNotEquals": {
            "aws:sourceVpc": [
                "vpc-111bbccc",
                "vpc-111bbddd"
            ]
        },

这篇关于如何在AWS策略中提供多个StringNotEquals条件?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！