在S3上的资源影响其他组的AWS IAM组策略? [英] AWS IAM group policy on S3 resource affecting other groups?
问题描述
这是一个跟进,但独立的问题,从 AWS S3斗政策无效集团主要
This is a follow-up but independant question from AWS s3 bucket policy invalid group principal
我有2组:开发者和合作者。 Devlopers有preconfigured高级用户组策略。合作者有以下组策略
I have 2 groups: Developers and Collaborators. Devlopers have the preconfigured "PowerUser" group policy. Collaborators have the following group policy
{
"Version": "2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"s3:ListAllMyBuckets"
],
"Resource":"arn:aws:s3:::*"
},
{
"Effect":"Allow",
"Action":[
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource":"arn:aws:s3:::bucket"
},
{
"Effect":"Allow",
"Action":[
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource":"arn:aws:s3:::bucket/*.txt"
}
]
}
桶中有以下策略来拒绝上传不加密的txt文件:
The bucket has the following policy to deny upload of unencrypted .txt files:
{
"Version": "2008-10-17",
"Id": "PutObjPolicy",
"Statement": [
{
"Sid": "DenyUnEncryptedObjectUploads",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::bucket/*.txt",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "AES256"
}
}
}
]
}
我期望的行为:开发者组可以把任何类型的文件,名为.txt文件必须被加密,包括制作目录。 协作者组可以说,获得只有删除名.txt文件,他们不能让目录。
The behavior i expect: "Developer" group can put any type of file, ".txt" files must be encrypted, including making directories. "Collaborator" group can put, get and delete ".txt" files only, they cannot make directories.
我得到的行为是如预期的开发。的合作者的行为等同于开发者,他们可以把任何文件时,他们只能够把名.txt文件。
The behavior i get is as expected for "Developer". The behavior of "Collaborators" is identical to developers, they can put any file when they should only be able to put ".txt" files.
我是什么做错了吗?
推荐答案
大量的试验和错误后,我试图做的大部分在桶水平的权限,得到了一些意想不到的行为,不得不过来两个组分开,斗政策。这是我的组策略的合作者:
After a lot of trial and error I attempted to do most of the permissions at the bucket level, got some unexpected behavior and had to split it over both group and bucket policy. Here is my group policy for "Collaborators":
{
"Version": "2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"s3:ListAllMyBuckets"
],
"Resource":"arn:aws:s3:::*"
},
{
"Effect":"Allow",
"Action":[
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource":"arn:aws:s3:::bucket"
},
{
"Effect":"Allow",
"Action":[
"s3:GetObject"
],
"Resource":"arn:aws:s3:::bucket/*"
}
]
}
下面是铲斗策略,只允许上载和由四个用户在合作者组删除的符.txt的文件:
Here is the bucket policy that only allows upload and delete of ".txt" files by the four users in the "Collaborator" group:
{
"Version": "2008-10-17",
"Id": "PutObjPolicy",
"Statement": [
{
"Sid": "DenyUnEncryptedObjectUploads",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::bucket/*.txt",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "AES256"
}
}
},
{
"Sid": "CelOnly",
"Effect": "Deny",
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:user/collaborator1",
"arn:aws:iam::111122223333:user/collaborator2",
"arn:aws:iam::111122223333:user/collaborator3",
"arn:aws:iam::111122223333:user/collaborator4"
]
},
"Action": [
"s3:DeleteObject",
"s3:PutObject"
],
"NotResource": "arn:aws:s3:::bucket/*.txt"
}
]
}
包括S3:GetObject的桶中的政策并没有允许下载的名为.txt文件,为什么我不得不将其移动到组策略。我仍然不能确定为什么花了这么多的摸索与我的一些其他的解决方案,如在原来的问题没有工作。但至少,这是回答我的问题。
Including s3:GetObject in the bucket policy did not allow downloads of ".txt" files that why i had to move it to group policy. I'm still unsure why it took so much trial and error and some of my other solutions such as that in the original question did not work. but at least this is the answer to my problem.
这篇关于在S3上的资源影响其他组的AWS IAM组策略?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
