S3：防止开放到公网

防止修改S3的公开存储桶设置。如果请求方添加了标签identity-perimeter-exception: true则可以绕过SCP的控制。

    {
         "Sid": "PreventPublicBucketACL",
         "Effect": "Deny",
         "Action": [
            "s3:PutBucketAcl",
            "s3:CreateBucket"
         ],
         "Resource": "*",
         "Condition": {
            "StringEquals": {
               "s3:x-amz-acl": [
                  "public-read",
                  "public-read-write"
               ]
            },
            "StringNotEqualsIfExists": {
               "aws:PrincipalTag/identity-perimeter-exception": "true"
            }
         }    
      },
      {
         "Sid": "PreventS3PublicAccessBlockConfigurations",
         "Effect": "Deny",
         "Action": "s3:PutAccountPublicAccessBlock" ,
         "Resource": "*",
         "Condition": {
            "StringNotEqualsIfExists": {
               "aws:PrincipalTag/identity-perimeter-exception": "true"
            }
         }
      },