如何在 IAM 策略中的两个条件之间应用 OR 条件？

Question

以下是我的 IAM 策略：

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "s3:GetObject*",
            "Resource": "arn:aws:s3:::*",
            "Condition": {
                "StringEquals": {
                    "s3:ExistingObjectTag/custom:kypha": "${aws:PrincipalTag/custom:kypha}",
                    "s3:ExistingObjectTag/custom:pharma": "${aws:PrincipalTag/custom:pharma}"
                }
            }
        }
    ]
}

默认情况下，AWS 在两个条件（“s3:ExistingObjectTag/...”）之间应用 AND。但是我要求它们之间的 OR 以这样的方式进行，即如果满足任何条件，那么它将允许特定的操作。我怎么能做到这一点？任何建议。

Answer 1

您需要两个单独的语句，因为您的键 s3:ExistingObjectTag/custom:kypha 和 s3:ExistingObjectTag/custom:pharma 不同：

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "s3:GetObject*",
            "Resource": "arn:aws:s3:::*",
            "Condition": {
                "StringEquals": {
                    "s3:ExistingObjectTag/custom:kypha": "${aws:PrincipalTag/custom:kypha}"}"
                }
            }
        },
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "s3:GetObject*",
            "Resource": "arn:aws:s3:::*",
            "Condition": {
                "StringEquals": {
                    "s3:ExistingObjectTag/custom:pharma": "${aws:PrincipalTag/custom:pharma}"
                }
            }
        }        
        
    ]
}

如何在 IAM 策略中的两个条件之间应用 OR 条件？

How to apply OR conditions between two conditions in IAM policy?

amazon-web-services

amazon-iam