amazon-s3 - S3存储桶策略的多个条件

我希望授予对存储桶的访问权限，该存储桶将允许我的VPC中的实例通过我们的数据中心完全访问它以及计算机。没有aws:SouceIp行，我可以限制对VPC联机计算机的访问。

我需要有效的策略，以便只能从VPC内的计算机以及我的办公室访问该存储桶。

{
    "Version": "2012-10-17",
    "Id": "Policy1496253408968",
    "Statement": [
        {
            "Sid": "Stmt1496253402061",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::xyz-sam-test/*",
                "arn:aws:s3:::xyz-sam-test"
            ],
            "Condition": {
                "StringLike": {
                    "aws:sourceVpc": "vpc-dcb634bf",
                    "aws:SourceIp": "<MY PUBLIC IP>"
                }
            }
        }
    ]
}

最佳答案

当两个 key 的Effect Condition匹配那些特定的通配符时，您可以生成一个策略，其Deny将对存储桶进行StringNotLike访问。

{
    "Version": "2012-10-17",
    "Id": "Policy1496253408968",
    "Statement": [
        {
            "Sid": "Stmt1496253402061",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::xyz-sam-test/*",
                "arn:aws:s3:::xyz-sam-test"
            ],
            "Condition": {
                "StringNotLike": {
                    "aws:sourceVpc": "vpc-dcb634bf",
                    "aws:SourceIp": "<MY PUBLIC IP>"
                }
            }
        }
    ]
}

第二个条件也可以独立于自己的陈述。 AWS在语句之间应用逻辑或。 1

{
    "Version": "2012-10-17",
    "Id": "Policy1496253408968",
    "Statement": [
        {
            "Sid": "Stmt1496253402061",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::xyz-sam-test/*",
                "arn:aws:s3:::xyz-sam-test"
            ],
            "Condition": {
                "StringLike": {
                    "aws:sourceVpc": "vpc-dcb634bf",
                }
            }
        },
        {
            "Sid": "Stmt1496253402062",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::xyz-sam-test/*",
                "arn:aws:s3:::xyz-sam-test"
            ],
            "Condition": {
                "StringLike": {
                    "aws:SourceIp": "<MY PUBLIC IP>"
                }
            }
        }
    ]
}