使用aws cli向现有的S3存储桶策略中添加一条语句 [英] Use aws cli to add a statement to an existing S3 bucket policy
问题描述
假设我已经有一个附加到存储桶的策略,例如:
Assuming I already have a policy attached to a bucket, in the likes of:
{
"Version": "2012-10-17",
"Id": "123",
"Statement": [
{
"Effect": "Deny",
"Principal": {
"AWS": "arn:aws:iam::9876543211:someuser"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
]
}
]
}
我想更新此策略,以便实施SSL(即,我希望上述语句保持不变).
I want to update this policy, so that I enforce SSL (i.e. I want the statement above to remain intact).
如何使用aws
cli,这样我的策略最终看起来像这样:
How can I use aws
cli so that my policy ends up looking like this:
{
"Version": "2012-10-17",
"Id": "123",
"Statement": [
{
"Effect": "Deny",
"Principal": {
"AWS": "arn:aws:iam::9876543211:someuser"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
]
},
{
"Action": "s3:*",
"Effect":"Deny",
"Principal": "*",
"Resource":"arn:aws:s3:::my-bucket/*",
"Condition":{
"Bool":
{ "aws:SecureTransport": false }
}
}
]
}
推荐答案
In case you want to attach\update Inline policy, You can use the aws iam put-role-policy command.
说明:
添加或更新嵌入在 指定的IAM角色.
Adds or updates an inline policy document that is embedded in the specified IAM role.
用法:
cat > policy-name.json << EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1572432380474",
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-bucket/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]
}
EOF
aws iam put-role-policy \
--role-name ${ROLE_NAME} \
--policy-name policy-name \
--policy-document file://policy-name.json
如果要更新托管策略,请使用 aws Organization update-policy 命令.
In case you want to update Managed policy, use aws organizations update-policy command.
说明:
使用新名称,描述或内容更新现有策略. 如果您不提供任何参数,则该值保持不变.你 无法更改策略的类型.
Updates an existing policy with a new name, description, or content. If you don't supply any parameter, that value remains unchanged. You can't change a policy's type.
用法:
aws organizations update-policy \
--policy-id policy-id \
--content "{
"Version": "2012-10-17",
"Id": "123",
"Statement": [
{
"Effect": "Deny",
"Principal": {
"AWS": "arn:aws:iam::9876543211:someuser"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
]
},
{
"Action": "s3:*",
"Effect":"Deny",
"Principal": "*",
"Resource":"arn:aws:s3:::my-bucket/*",
"Condition":{
"Bool":
{ "aws:SecureTransport": false }
}
}
]
}
"
这篇关于使用aws cli向现有的S3存储桶策略中添加一条语句的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!