拒绝所有 S3 存储桶的 GetObject

Question

我想创建一个具有只读策略的 IAM 角色 (arn:aws:iam::aws:policy/ReadOnlyAccess)。

为了防止访问所有存储桶上的所有对象，我在 Cloudformation 模板中添加了一个拒绝部分：

  ReadOnlyAccessRole:
    Type: AWS::IAM::Role
    Properties:
      Path: /
      RoleName: read-only-role
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              AWS: !Ref AwsAccount
            Action: sts:AssumeRole
      
          - Effect: Deny
            Sid: DenyS3GetObject
            Action: s3:GetObject
            Resource: "arn:aws:s3:::/*"

      ManagedPolicyArns:
        - "arn:aws:iam::aws:policy/ReadOnlyAccess"

我在拒绝部分（资源）中收到“MalformedPolicyDocument”错误。

我已经测试了这些选项：

资源：“*”
资源：“arn:aws:s3:::/*”
资源：“arn:aws:s3:::prefix-bucket*”

你知道这个语法错误吗？

编辑：

Cloudformation 错误：

Blockquote Has prohibited field Resource (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: ......; Proxy: null) enter code here

Answer 1

您似乎漏掉了 Policies 部分。

尝试这样的事情：

AWSTemplateFormatVersion: "2010-09-09"

Resources:
  MyTestRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: read-only-role
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
          - Effect: Allow
            Principal:
              AWS: !Ref AwsAccount
            Action: sts:AssumeRole
      Policies:
        - PolicyName: EmbeddedInlinePolicy
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Deny
                Action: s3:GetObject
                Resource: '*'
      ManagedPolicyArns: 
        - arn:aws:iam::aws:policy/ReadOnlyAccess

拒绝所有 S3 存储桶的 GetObject

Deny GetObject for all S3 bucket

amazon-s3

amazon-web-services

amazon-cloudformation

amazon-iam