- 最新
- 投票最多
- 评论最多
Hello,
If I understood correctly, you would like to allow S3 actions only if the requester is using temporary credentials.
In this case, you can use the "Null" condition operator [1] to check the existence of the "aws:TokenIssueTime" [2] Global condition key; as stated at the documentation [1], "If the user is using temporary credentials, then the key aws:TokenIssueTime exists and has a value."
The same documentation [1] brings an example which "the user MUST NOT be using temporary credentials (the key must not exist) for the user to use the Amazon EC2 API." (Which is the opposite of your case).
If you are planning to attach your policy to an IAM user, it should be like:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "my_s3_bucket_arn/*",
"Condition": {
"Null": {
"aws:TokenIssueTime": "false"
}
}
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": "my_s3_bucket_arn",
"Condition": {
"Null": {
"aws:TokenIssueTime": "false"
}
}
}
]
}
Note: IAM identity-based policies (attached to IAM users, groups or roles) don't have the "Principal" element [3].
The above policy is checking if the "aws:TokenIssueTime" IS NOT Null, which means the entity should be using temporary credentials; in this case, the user will be able to call the allowed S3 API actions if it is using temporary credentials obtained using "GetSessionToken" or Assuming a role.
I hope this has answered your question!
References:
[1] IAM JSON Policy Elements: Condition Operators - Condition Operator to Check Existence of Condition Keys - https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_Null
[2] AWS Global Condition Context Keys - aws:TokenIssueTime - https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tokenissuetime
[3] AWS JSON Policy Elements: Principal - https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html
相关内容
- AWS 官方已更新 2 个月前