我正在與我的IT團隊一起限制我的用戶帳戶(在root帳戶下),以便它無法訪問我不想訪問的S3存儲桶。啓用AWSLambdaFullAccess策略時,可以完全訪問許多AWS功能,包括全部S3功能。以下是AWSLambdaFullAccess策略:AWS IAM策略:如何更改AWSLambdaFullAccess策略以僅允許訪問一個S3存儲桶?
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudwatch:*",
"cognito-identity:ListIdentityPools",
"cognito-sync:GetCognitoEvents",
"cognito-sync:SetCognitoEvents",
"dynamodb:*",
"events:*",
"iam:ListAttachedRolePolicies",
"iam:ListRolePolicies",
"iam:ListRoles",
"iam:PassRole",
"kinesis:DescribeStream",
"kinesis:ListStreams",
"kinesis:PutRecord",
"lambda:*",
"logs:*",
"s3:*",
"sns:ListSubscriptions",
"sns:ListSubscriptionsByTopic",
"sns:ListTopics",
"sns:Subscribe",
"sns:Unsubscribe"
],
"Resource": "*"
}
]
}
大部分情況都沒有問題。我如何將其作爲新策略進行修改,以便我只能訪問「arn:aws:s3 ::: lambda-scripts」存儲桶?
我會去解決這個問題。的確,AWSLambdaFullAccess策略提供了比我需要的更多的訪問。我會制定一個新的政策,減少所有的脂肪。 –