如何解决AWS SNS主题访问策略不会阻止用户订阅
我为SNS主题设置了如下访问策略。我以为我只允许user2
订阅主题,但是user1
可以订阅主题。我该如何为我想做的事配置它?
{
"Version": "2008-10-17","Id": "__default_policy_ID","Statement": [
{
"Sid": "__console_pub_0","Effect": "Allow","Principal": {
"AWS": "arn:aws:iam::${account_id}:user/user1"
},"Action": "SNS:Publish","Resource": "arn:aws:sns:eu-west-2:${account_id}:topic1"
},{
"Sid": "__console_sub_0","Principal": {
"AWS": "arn:aws:iam::${account_id}:user/user2"
},"Action": [
"SNS:Subscribe","SNS:Receive"
],"Resource": "arn:aws:sns:eu-west-2:${account_id}:topic1"
}
]
}
解决方法
User1之所以可以订阅,是因为它具有允许操作的基于身份的策略(完整的SNS权限)。如果查看policy evaluation logic,您将看到基于资源的策略(您添加到SNS主题的策略)和基于身份的策略(您添加到user1的完整SNS权限)足以允许访问。
当user1尝试订阅该主题时,IAM会同时查看这两个策略。主题策略不适用,但SNS完全访问权限适用,因此允许该操作。
如果要确保user1无法订阅,可以将“拒绝”策略添加到SNS主题:
{
"Effect": "Deny","Principal": {
"AWS": "arn:aws:iam::${account_id}:user/user1"
},"Action": [
"SNS:Subscribe","SNS:Receive"
],"Resource": "arn:aws:sns:eu-west-2:${account_id}:topic1"
}
如果添加此语句,则当user1尝试订阅时,IAM将看到存在匹配的Deny语句,并将拒绝该请求。
如果要确保只有 个user2可以订阅,可以将NotPrincipal与拒绝一起使用:
{
"Effect": "Deny","NotPrincipal": {
"AWS": "arn:aws:iam::${account_id}:user/user2"
},"Resource": "arn:aws:sns:eu-west-2:${account_id}:topic1"
}
这会匹配除 user2之外的所有用户,并且拒绝订阅,无论他们可能有其他什么策略。
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。