只赋予用户s3某个bucket的读写权限
编程访问
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::test"]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": ["arn:aws:s3:::test/*"]
}
]
}
如果Resource部分用test*匹配的话,这两条策略是可以合并成一条的,但是这样就会把其他以tets开头的bucket也包括进来,所以 最后还是分开两条编写
2.控制台访问
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::test"]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": ["arn:aws:s3:::test/*"]
}
]
}
NoAction
给用户赋予sqs写的权限,默认做法是给予FullAccess的策略,但是FullAccess的权限太大,对所有的sqs队列都有写甚至删除的权限,
反过来,如果按照aws最小权限的原则,只给与用户会用到的某个sqs队列的权限,又不利于后期的扩展,因为,如果后期用户需要新增sqs队列权限,就又需要改频繁更改iam策略,费时费力。
能否采用一个折中的办法?这时候就需要在iam策略中引入NoAction元素,NoAction就是例外的意思
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SQSNoDeletePermission",
"Effect": "Allow",
"NotAction": "sns:DeleteQueue",
"Resource": "arn:aws:sqs:*:*:*"
}
]
}
以上策略会给与用户所有的sqs的读写权限,除了删除权限
NoAction不仅适用于sqs,还适用于s3、sns等其他资源