使用aws cli向现有的S3存储桶策略中添加一条语句 [英] Use aws cli to add a statement to an existing S3 bucket policy

问题描述

假设我已经有一个附加到存储桶的策略，例如:

Assuming I already have a policy attached to a bucket, in the likes of:

{
    "Version": "2012-10-17",
    "Id": "123",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": {
                "AWS": "arn:aws:iam::9876543211:someuser"
            },
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::my-bucket",
                "arn:aws:s3:::my-bucket/*"
            ]
        }
    ]
}

我想更新此策略，以便实施SSL(即，我希望上述语句保持不变).

I want to update this policy, so that I enforce SSL (i.e. I want the statement above to remain intact).

如何使用aws cli，这样我的策略最终看起来像这样:

How can I use aws cli so that my policy ends up looking like this:

{
    "Version": "2012-10-17",
    "Id": "123",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": {
                "AWS": "arn:aws:iam::9876543211:someuser"
            },
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::my-bucket",
                "arn:aws:s3:::my-bucket/*"
            ]
        },
        {
            "Action": "s3:*",
            "Effect":"Deny",
            "Principal": "*",
            "Resource":"arn:aws:s3:::my-bucket/*",
            "Condition":{
                "Bool":
                { "aws:SecureTransport": false }
            }
        }
    ]
}

推荐答案

如果要附加\更新内联策略，可以使用

In case you want to attach\update Inline policy, You can use the aws iam put-role-policy command.

说明:

添加或更新嵌入在 指定的IAM角色.

Adds or updates an inline policy document that is embedded in the specified IAM role.

用法:

cat > policy-name.json << EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1572432380474",
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::my-bucket/*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}
EOF

aws iam put-role-policy \
--role-name ${ROLE_NAME} \
--policy-name policy-name \
--policy-document file://policy-name.json 

如果要更新托管策略，请使用 aws Organization update-policy 命令.

In case you want to update Managed policy, use aws organizations update-policy command.

说明:

使用新名称，描述或内容更新现有策略. 如果您不提供任何参数，则该值保持不变.你 无法更改策略的类型.

Updates an existing policy with a new name, description, or content. If you don't supply any parameter, that value remains unchanged. You can't change a policy's type.

用法:

aws organizations update-policy \
    --policy-id policy-id \
    --content "{
    "Version": "2012-10-17",
    "Id": "123",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": {
                "AWS": "arn:aws:iam::9876543211:someuser"
            },
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::my-bucket",
                "arn:aws:s3:::my-bucket/*"
            ]
        },
        {
            "Action": "s3:*",
            "Effect":"Deny",
            "Principal": "*",
            "Resource":"arn:aws:s3:::my-bucket/*",
            "Condition":{
                "Bool":
                { "aws:SecureTransport": false }
            }
        }
    ]
}
"

这篇关于使用aws cli向现有的S3存储桶策略中添加一条语句的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！