- 最新
- 最多得票
- 最多評論
@rowanu
Thanks for the reply, it is helpful. I do see a lot of these have their permissions defined by JSON. Now several are identical except for the ARN for the specific S3 bucket that they are attached to.
We have data being pulled and dropped into a specific buckets (dozens of them) and individual users made to interact with each of these buckets, I believe this is all being accessed\used through custom code through Azure Devops.
How do I create a single policy and/or single group to cover these without giving extra permissions to users that shouldn't have them. Currently IAM user 1 has a policy json to give it permissions to s3 bucket 1, and IAM user 2 has a policy json to give it permissions to s3 bucket 2 but with identical permissions to their respective buckets. Can this be done, creating a single policy (covering the specific S3 permissions defined in the JSON) that I can apply to a group, OR individual users that will grant IAM User 1 to S3 bucket 1 but not Bucket 2, 3, 4 etc; that can then be put onto ALL the users that share these S3 access permissions?
I am trying to avoid making dozens of nearly identical policies to accommodate each of these user\bucket combos; that would also require making new policies each time a new user\bucket combo was made. Instead make it once and either apply it to a new user, or add the next new user to a group with this policy assigned, either way is fine.
Thanks again!
I think your understanding is correct. This error is flagging that you have IAM policies attached directly to users. This makes it harder to keep track of who has what permissions, and keep them updated over time. If you want to keep using IAM users, then you should be using groups to assign them permissions.
Roles and groups both leverage identity policies, but perform very different purposes. Groups help you manage users, roles allow you to give short-term access to AWS (such as users, AWS services, etc).
It sounds like you want to leverage attribute-based access control (ABAC), which can do what you want, but gets complicated.
Check out the official docs https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_attribute-based-access-control.html or the official blogs https://aws.amazon.com/blogs/security/tag/abac/ to learn more about ABAC.
You will have to attach a tag to the user, and then reference that tag in the policy that's attached to the group to determine the bucket that they can access.