別アカウントの特定の IAM ロールから特定のプレフィックス以下のみアクセス許可する S3 アクセスポイントポリシーの例。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Principal": { "AWS": "*" }, "Action": "s3:*", "NotResource": [ "arn:aws:s3:ap-northeast-1:123456789012:accesspoint/az2-get/object/az1-put/az2-get", "arn:aws:s3:ap-northeast-1:123456789012:accesspoint/az2-get/object/az1-put/az2-get/*" ] }, { "Effect": "Deny", "Principal": { "AWS": "*" }, "Action": "s3:*", "Resource": "arn:aws:s3:ap-northeast-1:234567890123:accesspoint/az2-get/object/*", "Condition": { "StringNotLike": { "aws:userid": "ARO****************CM:*" ★ IAM ロールのユニークIDを指定する } } } ] }
- IAM ロールのユニークIDは以下のように取得する
$ aws iam get-role --role-name EC2AdminRole { "Role": { "Path": "/", "RoleName": "EC2AdminRole", "RoleId": "ARO****************CM", ★ IAM ロールのユニークID "Arn": "arn:aws:iam::234567890123:role/EC2AdminRole", "CreateDate": "2018-09-09T03:24:34+00:00", "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }, "Description": "Allows EC2 instances to call AWS services on your behalf.", "MaxSessionDuration": 3600, "RoleLastUsed": { "LastUsedDate": "2021-07-17T08:45:05+00:00", "Region": "ap-northeast-1" } } }