I used the Policy Generator to create a simple rule for my bucket; the rules should allow the following intended effect:
To this purpose I wrote the following rule, but somethng didnt work as expected, and in particular, I have totally lost access to the bucket elements, was getting "Access Denied" in all cases, root included:
edit : with @jarmod answer I was able to set the intended functionality, however it trigger a warning, about the bucket being public, I do not see the difference respect having no policy, the bucket is still publicly accessible for read-only. What is the difference?
Perhaps you could do this as follows:
You could do this with a policy something like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::mybucket/*"
]
},
{
"Effect": "Deny",
"Principal": "*",
"NotAction": "s3:GetObject",
"Resource": [
"arn:aws:s3:::mybucket/*"
],
"Condition": {
"StringNotLike": {
"aws:userId": [
"iam-userid-here",
"root-userid-here"
]
}
}
}
]
}
To get iam-userid-here
, run aws iam list-users
and retrieve the UserId for the IAM user.
Similarly, to get root-userid-here
, simply retrieve the account number from the Arn of the previous aws iam list-users
output. The root account userId is the AWS account number.
The IAM user indicated by iam-userid-here
could then have an IAM policy allowing S3 access.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.