为什么我的AWS S3存储桶策略不会覆盖我的IAM策略?
[英]Why Doesn't My AWS S3 Bucket Policy Override My IAM Policy?
问题描述
I have a user in my IAM account called "testuser" who has administrator privileges, like so: 
我的IAM帐户中有一个名为“testuser”的用户具有管理员权限,如下所示:
{
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
And then I have a policy on my S3 bucket that denies this user access, like so: 然后我在我的S3存储桶上有一个拒绝此用户访问权限的策略,如下所示:
{
"Statement": [
{
"Effect": "Deny",
"Principal": {
"AWS": "my-account-id:user/testuser"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::my-bucket-name/*"
}
]
}
So, the explicit deny in the S3 bucket policy should override the allow from the IAM policy right? 那么,S3存储桶策略中的显式拒绝是否应该覆盖IAM策略允许的权限? But when I log in as testuser, I still have access to everything in that bucket - I even have access to change or remove the bucket policy for that bucket (and every other bucket too). 但是当我以testuser身份登录时,我仍然可以访问该存储桶中的所有内容 - 我甚至可以访问更改或删除该存储桶的存储桶策略(以及其他所有存储桶)。 Why isn't my explicit deny doing anything? 为什么我没有明确拒绝做任何事情?
1 个解决方案
解决方案1
10 已采纳 2012-07-21 23:03:34
Try using the full ARN form for the user ID in the bucket policy: 尝试在存储桶策略中使用完整的ARN表单作为用户ID:
"Principal": {
"AWS":["arn:aws:iam::accountid:user/testuser"]
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.