2 Risposte
- Più recenti
- Maggior numero di voti
- Maggior numero di commenti
0
To achieve your goal of allowing a user to view and manage objects within a specific S3 bucket, but denying the ability to create new buckets, you can use the following IAM policy:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": "arn:aws:s3:::my-bucket" }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject" ], "Resource": "arn:aws:s3:::my-bucket/*" }, { "Effect": "Deny", "Action": "s3:CreateBucket", "Resource": "*" } ] }
Here's what this policy does:
- The first statement allows the user to list the contents of the
my-bucket
bucket and get the bucket's location. - The second statement allows the user to get objects, put objects, and delete objects within the
my-bucket
bucket. - The third statement explicitly denies the
s3:CreateBucket
action on all resources (*
), effectively preventing the user from creating new buckets.
con risposta 2 mesi fa
0
Hello,
the second deny seems to contradict this by trying to allow the same action on any resource not matching
{
"Effect": "Deny",
"Action": "s3:CreateBucket",
"NotResource": "arn:aws:s3:::*"
},
con risposta 2 mesi fa
Contenuto pertinente
- AWS UFFICIALEAggiornata 2 anni fa
- AWS UFFICIALEAggiornata un anno fa
I did try this policy, but after logging in as the IAM user, it is still able to create a bucket! will it take time for this policy to take affect? I'm assuming it will be instantly but it doesn't work. What could be the reason and what are other options? Thanks.