AWS 政策是否会阻止政策中未指定的所有操作?
Does AWS policy block all operations not specified in the policy?
例如,
{
"Version": "2012-10-17",
"Id": "ExamplePolicy01",
"Statement": [
{
"Sid": "ExampleStatement01",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:user/Dave"
},
"Action": [
"s3:GetObject",
"s3:GetBucketLocation",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::awsexamplebucket1/*",
"arn:aws:s3:::awsexamplebucket1"
]
}
]
}
此策略允许 Dave 在 S3 中对 awsexamplebucket1 执行 3 次操作。那么在 awsexamplebucket1 中创建对象等其他操作如何? 这些操作是否被阻止?
您需要阅读 Policy Evaluation Logic。所有其他操作都被隐式拒绝。这意味着被拒绝,除非有其他政策允许他们。
从上面的 link 复制:
The following is a summary of the AWS evaluation logic for policies
within a single account.
- By default, all requests are implicitly denied with the exception of the AWS account root user, which has full access.
- An explicit allow in an identity-based or resource-based policy overrides this default.
- If a permissions boundary, Organizations SCP, or session policy is present, it might override the allow with an implicit deny.
- An explicit deny in any policy overrides any allows.
假设 Dave 是与此 S3 存储桶位于同一帐户中的 IAM 用户,通常您会将这些权限直接分配给 Dave(通过附加到 Dave IAM 用户或其 IAM 组之一的策略)。您将不会在 S3 存储桶策略中执行此操作。
在回答您的问题时,不,此存储桶策略不会阻止存储桶上的其他未列出的操作。但是,默认情况下,不存在其他权限。
但是,如果 Dave 从他的 IAM 用户或 IAM 组策略中获得与此存储桶相关的额外 S3 权限,那么这些权限将补充存储桶策略中列出的权限。
例如,
{
"Version": "2012-10-17",
"Id": "ExamplePolicy01",
"Statement": [
{
"Sid": "ExampleStatement01",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:user/Dave"
},
"Action": [
"s3:GetObject",
"s3:GetBucketLocation",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::awsexamplebucket1/*",
"arn:aws:s3:::awsexamplebucket1"
]
}
]
}
此策略允许 Dave 在 S3 中对 awsexamplebucket1 执行 3 次操作。那么在 awsexamplebucket1 中创建对象等其他操作如何? 这些操作是否被阻止?
您需要阅读 Policy Evaluation Logic。所有其他操作都被隐式拒绝。这意味着被拒绝,除非有其他政策允许他们。
从上面的 link 复制:
The following is a summary of the AWS evaluation logic for policies within a single account.
- By default, all requests are implicitly denied with the exception of the AWS account root user, which has full access.
- An explicit allow in an identity-based or resource-based policy overrides this default.
- If a permissions boundary, Organizations SCP, or session policy is present, it might override the allow with an implicit deny.
- An explicit deny in any policy overrides any allows.
假设 Dave 是与此 S3 存储桶位于同一帐户中的 IAM 用户,通常您会将这些权限直接分配给 Dave(通过附加到 Dave IAM 用户或其 IAM 组之一的策略)。您将不会在 S3 存储桶策略中执行此操作。
在回答您的问题时,不,此存储桶策略不会阻止存储桶上的其他未列出的操作。但是,默认情况下,不存在其他权限。
但是,如果 Dave 从他的 IAM 用户或 IAM 组策略中获得与此存储桶相关的额外 S3 权限,那么这些权限将补充存储桶策略中列出的权限。