AWS SNS 主题访问策略不会阻止用户订阅
AWS SNS topic access policy does not prevent from users to subscribe
我为 SNS 主题设置了如下访问策略。我以为我只允许 user2 订阅该主题,但 user1 可以订阅该主题。我该如何配置它以实现我想要执行的操作?
{
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
{
"Sid": "__console_pub_0",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::${account_id}:user/user1"
},
"Action": "SNS:Publish",
"Resource": "arn:aws:sns:eu-west-2:${account_id}:topic1"
},
{
"Sid": "__console_sub_0",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::${account_id}:user/user2"
},
"Action": [
"SNS:Subscribe",
"SNS:Receive"
],
"Resource": "arn:aws:sns:eu-west-2:${account_id}:topic1"
}
]
}
User1 可以订阅,因为它有一个允许该操作的 identity-based 策略(完整的 SNS 权限)。如果您查看 policy evaluation logic,您会看到 resource-based 策略(您添加到 SNS 主题的策略)和 identity-based 策略(您添加到 user1 的完整 SNS 权限)足以允许访问。
当 user1 尝试订阅主题时,IAM 会查看这两个策略。主题策略不适用,但 SNS 完全访问权限适用,因此允许操作。
如果要确保user1不能订阅,可以给SNS主题添加拒绝策略:
{
"Effect": "Deny",
"Principal": {
"AWS": "arn:aws:iam::${account_id}:user/user1"
},
"Action": [
"SNS:Subscribe",
"SNS:Receive"
],
"Resource": "arn:aws:sns:eu-west-2:${account_id}:topic1"
}
如果添加此语句,当 user1 尝试订阅时,IAM 将看到有匹配的 Deny 语句并拒绝该请求。
如果你想确保只有 user2 可以订阅,你可以使用带有拒绝的 NotPrincipal:
{
"Effect": "Deny",
"NotPrincipal": {
"AWS": "arn:aws:iam::${account_id}:user/user2"
},
"Action": [
"SNS:Subscribe",
"SNS:Receive"
],
"Resource": "arn:aws:sns:eu-west-2:${account_id}:topic1"
}
这匹配所有用户 除了 user2 并拒绝订阅,无论他们可能有什么其他政策。
我为 SNS 主题设置了如下访问策略。我以为我只允许 user2 订阅该主题,但 user1 可以订阅该主题。我该如何配置它以实现我想要执行的操作?
{
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
{
"Sid": "__console_pub_0",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::${account_id}:user/user1"
},
"Action": "SNS:Publish",
"Resource": "arn:aws:sns:eu-west-2:${account_id}:topic1"
},
{
"Sid": "__console_sub_0",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::${account_id}:user/user2"
},
"Action": [
"SNS:Subscribe",
"SNS:Receive"
],
"Resource": "arn:aws:sns:eu-west-2:${account_id}:topic1"
}
]
}
User1 可以订阅,因为它有一个允许该操作的 identity-based 策略(完整的 SNS 权限)。如果您查看 policy evaluation logic,您会看到 resource-based 策略(您添加到 SNS 主题的策略)和 identity-based 策略(您添加到 user1 的完整 SNS 权限)足以允许访问。
当 user1 尝试订阅主题时,IAM 会查看这两个策略。主题策略不适用,但 SNS 完全访问权限适用,因此允许操作。
如果要确保user1不能订阅,可以给SNS主题添加拒绝策略:
{
"Effect": "Deny",
"Principal": {
"AWS": "arn:aws:iam::${account_id}:user/user1"
},
"Action": [
"SNS:Subscribe",
"SNS:Receive"
],
"Resource": "arn:aws:sns:eu-west-2:${account_id}:topic1"
}
如果添加此语句,当 user1 尝试订阅时,IAM 将看到有匹配的 Deny 语句并拒绝该请求。
如果你想确保只有 user2 可以订阅,你可以使用带有拒绝的 NotPrincipal:
{
"Effect": "Deny",
"NotPrincipal": {
"AWS": "arn:aws:iam::${account_id}:user/user2"
},
"Action": [
"SNS:Subscribe",
"SNS:Receive"
],
"Resource": "arn:aws:sns:eu-west-2:${account_id}:topic1"
}
这匹配所有用户 除了 user2 并拒绝订阅,无论他们可能有什么其他政策。