1. 技术文章
  2. Use aws cli to add a statement to an existing S3 bucket policy

Use aws cli to add a statement to an existing S3 bucket policy

帅比萌擦擦* 提交于 2020-02-06 06:44:56

问题


Assuming I already have a policy attached to a bucket, in the likes of:

{
    "Version": "2012-10-17",
    "Id": "123",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": {
                "AWS": "arn:aws:iam::9876543211:someuser"
            },
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::my-bucket",
                "arn:aws:s3:::my-bucket/*"
            ]
        }
    ]
}

I want to update this policy, so that I enforce SSL (i.e. I want the statement above to remain intact).

How can I use aws cli so that my policy ends up looking like this:

{
    "Version": "2012-10-17",
    "Id": "123",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": {
                "AWS": "arn:aws:iam::9876543211:someuser"
            },
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::my-bucket",
                "arn:aws:s3:::my-bucket/*"
            ]
        },
        {
            "Action": "s3:*",
            "Effect":"Deny",
            "Principal": "*",
            "Resource":"arn:aws:s3:::my-bucket/*",
            "Condition":{
                "Bool":
                { "aws:SecureTransport": false }
            }
        }
    ]
}

回答1:


In case you want to attach\update Inline policy, You can use the aws iam put-role-policy command.

Description:

Adds or updates an inline policy document that is embedded in the specified IAM role.

usage:

cat > policy-name.json << EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1572432380474",
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::my-bucket/*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}
EOF

aws iam put-role-policy \
--role-name ${ROLE_NAME} \
--policy-name policy-name \
--policy-document file://policy-name.json

In case you want to update Managed policy, use aws organizations update-policy command.

Description:

Updates an existing policy with a new name, description, or content. If you don't supply any parameter, that value remains unchanged. You can't change a policy's type.

usage:

aws organizations update-policy \
    --policy-id policy-id \
    --content "{
    "Version": "2012-10-17",
    "Id": "123",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": {
                "AWS": "arn:aws:iam::9876543211:someuser"
            },
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::my-bucket",
                "arn:aws:s3:::my-bucket/*"
            ]
        },
        {
            "Action": "s3:*",
            "Effect":"Deny",
            "Principal": "*",
            "Resource":"arn:aws:s3:::my-bucket/*",
            "Condition":{
                "Bool":
                { "aws:SecureTransport": false }
            }
        }
    ]
}
"


来源:https://stackoverflow.com/questions/58623120/use-aws-cli-to-add-a-statement-to-an-existing-s3-bucket-policy

标签
amazon-web-services
amazon-s3
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!