问题描述
我具有以下用户配置:
namespace: s3test
user: s3test
subuser: backup (set up with s3 credentials instead of swift)
我想定义一个存储桶策略,该策略明确阻止备份用户放入由hedgehogs
用户创建的名为s3test
的存储桶:
{
"Version": "2012-10-17","Statement": [
{
"Sid": "DenyPutToHedgehogsForBackup","Effect": "Deny","Principal": {
"CanonicalUser": "s3test:backup"
},"Action": ["s3:PutObject"],"Resource": [
"arn:aws:s3:::hedgehogs/*"
]
}
]
}
但是,这似乎阻止了s3test
和s3test:backup
都放入hedgehogs
。
我的策略语法有问题吗?或者这意味着配置了s3凭据的子用户只是使用主要用户权限访问s3的另一种方式?
解决方法
您的存储桶策略应如下所示:
{
"Version": "2012-10-17","Statement": [{
"Effect": "Deny","Principal": {"AWS": ["arn:aws:iam:::user/s3test:backup"]},"Action": "s3:PutObject","Resource": [
"arn:aws:s3:::hedgehogs/*"
]
}]
}