如何在S3存储桶策略中执行OR条件?
[英]How do I do an OR condition in an S3 bucket policy?
问题描述
I'm working on an S3 bucket policy. 
我正在研究S3存储桶策略。 The idea is to explicitly deny access to all IAM users within the account, except for those explicitly granted. 我们的想法是明确拒绝访问帐户中的所有IAM用户,但明确授予的用户除外。
I found a blog post that explains how to restrict access to a specific user. 我找到了一篇博客文章,解释了如何限制对特定用户的访问。 It works well. 它运作良好。 However, I want to extend the syntax to include a second IAM user that will be allowed access. 但是,我想扩展语法以包括将被允许访问的第二个IAM用户。 This is, in effect, an OR condition. 实际上,这是OR条件。
But, I've very new to JSON, and I'm not sure how to go about that. 但是,我对JSON很新,而且我不确定如何去做。
Here is the policy that works for restricting access to a single user: 以下是用于限制对单个用户的访问的策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
],
"Condition": {
"StringNotLike": {
"aws:userId": [
"AIDA<obfuscated id>:*",
"AIDA<obfuscated id>",
"111111111111"
]
}
}
}
]
}
Can anyone help me edit the above JSON to allow for an OR condition where I could specify an additional userid that would be allowed access? 任何人都可以帮我编辑上面的JSON以允许OR条件,我可以指定一个允许访问的额外用户ID吗?
AdvThanksance! AdvThanksance!
2 个解决方案
解决方案1
1 2017-02-28 23:12:35
You don't need to create this deny rule since all requests are denied by default unless there is an explicit allow rule. 您不需要创建此拒绝规则,因为默认情况下拒绝所有请求,除非有明确的允许规则。
To authorize multiple IAM users, you can list them as array elements. 要授权多个IAM用户,可以将它们列为数组元素。 So, you could write your bucket policy as follows: 因此,您可以按如下方式编写存储桶策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAllS3ActionsForSpecificIAMUsers",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<account-number-without-hyphens>:user/<username1>",
"arn:aws:iam::<account-number-without-hyphens>:user/<username2>"
]
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
]
}
]
}
You can find out more about the Principal element here . 您可以在此处找到有关Principal元素的更多信息。
解决方案2
1 已采纳 2017-03-01 20:48:50
Ok, I figured this out. 好的,我想通了。
First, I tried adding a second StringgNotLike clause to the Condition , but that didn't work. 首先,我尝试在Condition添加第二个StringgNotLike子句,但这不起作用。
After doing as bit more reading, I realized the Condition clause accepts multiple key/value pairs. 在做了更多的阅读之后,我意识到Condition子句接受多个键/值对。 In fact, the original policy I showed in my question already did that. 事实上,我在问题中展示的原始政策已经做到了。 I just needed to add more values to the array that was already there. 我只需要为已经存在的数组添加更多值。
The policy that works, looks like this: 有效的政策如下:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::my-private-bucket",
"arn:aws:s3:::my-private-bucket/*"
],
"Condition": {
"StringNotLike": {
"aws:userId": [
"AIDA<obfuscated-id-1>:*",
"AIDA<obfuscated-id-1>",
"AIDA<obfuscated-id-2>:*",
"AIDA<obfuscated-id-2>",
"111111111111"
]
}
}
}
]
}
When I realized that the key had already specified an array of values, I just added the second user id to the array, and it worked great. 当我意识到密钥已经指定了一个值数组时,我只是将第二个用户ID添加到数组中,并且它工作得很好。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.