删除 s3 存储桶所有者的特定权限
Remove specific permissions for the s3 bucket owner
我创建了一个 s3 存储桶,并在存储桶中添加了一个策略,表示拒绝规范用户的 ListBucket 操作。这里的规范用户就是我。下面是我的代码..
s3_client.create_bucket(Bucket=bucket_name)
bucket_policy = {
'Version': '2012-10-17',
'Statement': [{
'Sid': 'AddPerm',
'Effect': 'Deny',
'Principal':
#I am denying ListBucket access to this canonical user id.
{"CanonicalUser":"1234567777777777777777544444444466666ac73d5bc7cd43619"},
'Action': ['s3:ListBucket'],
'Resource': f'arn:aws:s3:::{bucket_name}',
}]
}
# Convert the policy from JSON dict to string
bucket_policy = json.dumps(bucket_policy)
s3_client.put_bucket_policy(Bucket=bucket_name, Policy=bucket_policy)
s3_client.put_object(Bucket=bucket_name, Key="a/b/c/abc.txt")
#Still i am getting response for this list_objects operation.
response = s3_client.list_objects(Bucket=bucket_name)
print(response)
如何删除 root 用户的特定 s3 存储桶权限?
谢谢
根据评论,问题是拒绝 root 用户访问同一帐户内的资源,也不推荐这样做。
You can only use an AWS Organizations service control policy (SCP) to limit the permissions of the root user
下面描述的方法适用于跨帐户访问。
根据文档,您可以按以下格式处理 root 用户
"Principal":{"AWS":"arn:aws:iam::AccountNumber-WithoutHyphens:root"}
"Principal":{"AWS":["arn:aws:iam::AccountNumber1-WithoutHyphens:root","arn:aws:iam::AccountNumber2-WithoutHyphens:root"]}
Grant permissions to an AWS Account
例如
{
"Id": "Policy1616693279544",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt161669321",
"Action": [
"s3:ListBucket"
],
"Effect": "Deny",
"Resource": "arn:aws:s3:::mybucketname",
"Principal": {
"AWS": [
"arn:aws:iam::1234567890:root"
]
}
}
]
}
如果您不想强调正确的策略生成,您可以在此处使用此工具进行交叉验证
我创建了一个 s3 存储桶,并在存储桶中添加了一个策略,表示拒绝规范用户的 ListBucket 操作。这里的规范用户就是我。下面是我的代码..
s3_client.create_bucket(Bucket=bucket_name)
bucket_policy = {
'Version': '2012-10-17',
'Statement': [{
'Sid': 'AddPerm',
'Effect': 'Deny',
'Principal':
#I am denying ListBucket access to this canonical user id.
{"CanonicalUser":"1234567777777777777777544444444466666ac73d5bc7cd43619"},
'Action': ['s3:ListBucket'],
'Resource': f'arn:aws:s3:::{bucket_name}',
}]
}
# Convert the policy from JSON dict to string
bucket_policy = json.dumps(bucket_policy)
s3_client.put_bucket_policy(Bucket=bucket_name, Policy=bucket_policy)
s3_client.put_object(Bucket=bucket_name, Key="a/b/c/abc.txt")
#Still i am getting response for this list_objects operation.
response = s3_client.list_objects(Bucket=bucket_name)
print(response)
如何删除 root 用户的特定 s3 存储桶权限?
谢谢
根据评论,问题是拒绝 root 用户访问同一帐户内的资源,也不推荐这样做。
You can only use an AWS Organizations service control policy (SCP) to limit the permissions of the root user
下面描述的方法适用于跨帐户访问。
根据文档,您可以按以下格式处理 root 用户
"Principal":{"AWS":"arn:aws:iam::AccountNumber-WithoutHyphens:root"}
"Principal":{"AWS":["arn:aws:iam::AccountNumber1-WithoutHyphens:root","arn:aws:iam::AccountNumber2-WithoutHyphens:root"]}
Grant permissions to an AWS Account
例如
{
"Id": "Policy1616693279544",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt161669321",
"Action": [
"s3:ListBucket"
],
"Effect": "Deny",
"Resource": "arn:aws:s3:::mybucketname",
"Principal": {
"AWS": [
"arn:aws:iam::1234567890:root"
]
}
}
]
}
如果您不想强调正确的策略生成,您可以在此处使用此工具进行交叉验证