- 最新
- 最多得票
- 最多評論
Hello
A principal is a person or application that can make a request for an action or operation on an AWS resource. The principal is authenticated as the AWS account root user or an IAM entity to make requests to AWS. As a best practice, do not use your root user credentials for your daily work. Instead, create IAM entities (users and roles). You can also support federated users or programmatic access to allow an application to access your AWS account.
A principal must be authenticated (signed in to AWS) using their credentials to send a request to AWS. Some services, such as Amazon S3 and AWS STS, allow a few requests from anonymous users. However, they are the exception to the rule. These are referred in IAM docs here: https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html
In the example cited, there will be a difference between using the Principal in two mentioned methods from S3 perspective as covered in this doc: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-bucket-user-policy-specifying-principal-intro.html#s3-anonymous-permissions
- Using "Principal": "*" with an Allow effect in a resource-based policy allows anyone, even if they’re not signed in to AWS, to access your resource.
- Using "Principal" : { "AWS" : "*" } with an Allow effect in a resource-based policy allows any root user, IAM user, assumed-role session, or federated user in any account in the same partition to access your resource. This applies to AWS users i.e. one has to sign in to AWS.
If your testing shows otherwise, kindly provide more detail on policy used and how you tested it in detail [signing in as AWS user vs without] to provide further context. Thank you.
相關內容
- AWS 官方已更新 1 年前
- AWS 官方已更新 2 年前
- AWS 官方已更新 2 年前
Thank you for your reply. Does it mean that "Principal" : { "AWS" : "*" } should limit object access only for authenticated AWS users?