如何在AWS策略中提供多个StringNotEquals条件? [英] How to provide multiple StringNotEquals conditions in AWS policy?
本文介绍了如何在AWS策略中提供多个StringNotEquals条件?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我正在尝试编写AWS S3存储桶策略,该策略拒绝所有流量(除非来自两个VPC的流量除外).我尝试编写的策略看起来像下面的策略,两个StringNotEquals
之间是逻辑AND(除非它是无效的策略):
I am trying to write AWS S3 bucket policy that denies all traffic except when it comes from two VPCs. The policy I'm trying to write looks like the one below, with a logical AND between the two StringNotEquals
(except it's an invalid policy):
{
"Version": "2012-10-17",
"Id": "Policy1415115909152",
"Statement": [
{
"Sid": "Allow-access-only-from-two-VPCs",
"Action": "s3:*",
"Effect": "Deny",
"Resource": ["arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"],
"Condition": {
"StringNotEquals": {
"aws:sourceVpc": "vpc-111bbccc"
},
"StringNotEquals": {
"aws:sourceVpc": "vpc-111bbddd"
}
},
"Principal": "*"
}
]
}
如果我使用这个:
"StringNotEquals": {
"aws:sourceVpc": ["vpc-111bbccc", "vpc-111bbddd"]
}
然后至少有一个字符串比较返回true,并且无法从任何位置访问S3存储桶.
then at least one of the string comparisons returns true and the S3 bucket is not accessible from anywhere.
推荐答案
以前从未尝试过.来自:使用IAM策略条件进行细粒度的访问控制
Never tried this before.But the following should work. From: Using IAM Policy Conditions for Fine-Grained Access Control
"Condition": {
"ForAllValues:StringNotEquals": {
"aws:sourceVpc": [
"vpc-111bbccc",
"vpc-111bbddd"
]
},
这篇关于如何在AWS策略中提供多个StringNotEquals条件?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文