I am looking at the default policy (below) and I do not understand why the section identified as SID 3 is necessary. By default permissions are denied unless they are allowed. I don't see that the previous sections (SID 1 and SID 2) allow the actions that are denied in SID 3. Am I missing something? It doesn't hurt to explicitly set these denials but I think they are unnecessary.
{
"Version" : "2008-10-17",
"Statement" : [{
"Sid" : "1",
"Effect" : "Allow",
"Action" : ["s3:Put*", "s3:ListBucket", "s3:*MultipartUpload*", "s3:Get*"],
"Resource" : "*"
}, {
"Sid" : "2",
"Effect" : "Allow",
"Action" : "sns:Publish",
"Resource" : "*"
}, {
"Sid" : "3",
"Effect" : "Deny",
"Action" : ["s3:*Delete*", "s3:*Policy*", "sns:*Remove*", "sns:*Delete*", "sns:*Permission*"],
"Resource" : "*"
}
]
Aucun commentaire:
Enregistrer un commentaire