本文介绍了使用aws cli向现有的S3存储桶策略中添加一条语句的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

假设我已经有一个附加到存储桶的策略,例如:

Assuming I already have a policy attached to a bucket, in the likes of:

{
    "Version": "2012-10-17",
    "Id": "123",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": {
                "AWS": "arn:aws:iam::9876543211:someuser"
            },
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::my-bucket",
                "arn:aws:s3:::my-bucket/*"
            ]
        }
    ]
}

我想更新此策略,以便实施SSL(即,我希望上述语句保持不变).

I want to update this policy, so that I enforce SSL (i.e. I want the statement above to remain intact).

如何使用aws cli,这样我的策略最终看起来像这样:

How can I use aws cli so that my policy ends up looking like this:

{
    "Version": "2012-10-17",
    "Id": "123",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": {
                "AWS": "arn:aws:iam::9876543211:someuser"
            },
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::my-bucket",
                "arn:aws:s3:::my-bucket/*"
            ]
        },
        {
            "Action": "s3:*",
            "Effect":"Deny",
            "Principal": "*",
            "Resource":"arn:aws:s3:::my-bucket/*",
            "Condition":{
                "Bool":
                { "aws:SecureTransport": false }
            }
        }
    ]
}

推荐答案

如果要附加\更新内联策略,可以使用 aws iam put-role-policy 命令.

In case you want to attach\update Inline policy, You can use the aws iam put-role-policy command.

说明:

用法:

cat > policy-name.json << EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1572432380474",
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::my-bucket/*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}
EOF

aws iam put-role-policy \
--role-name ${ROLE_NAME} \
--policy-name policy-name \
--policy-document file://policy-name.json 

如果要更新托管策略,请使用 aws Organization update-policy 命令.

In case you want to update Managed policy, use aws organizations update-policy command.

说明:

用法:

aws organizations update-policy \
    --policy-id policy-id \
    --content "{
    "Version": "2012-10-17",
    "Id": "123",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": {
                "AWS": "arn:aws:iam::9876543211:someuser"
            },
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::my-bucket",
                "arn:aws:s3:::my-bucket/*"
            ]
        },
        {
            "Action": "s3:*",
            "Effect":"Deny",
            "Principal": "*",
            "Resource":"arn:aws:s3:::my-bucket/*",
            "Condition":{
                "Bool":
                { "aws:SecureTransport": false }
            }
        }
    ]
}
"

这篇关于使用aws cli向现有的S3存储桶策略中添加一条语句的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

10-24 08:34