代码之家 › 专栏 › 技术社区 › AnchovyLegend

创建S3策略以允许完全访问一个S3子文件夹

amazon-s3 amazon-web-services

AnchovyLegend · 技术社区 · 8 年前

我正在尝试创建一个AWS S3策略,以允许完全访问特定的S3子文件夹,而不允许其他任何操作。在下面的示例中,有一个名为Bob的开发人员。我创建了一个完全专用于Bob的目录,并希望通过登录控制台,让他只对这个S3文件夹(Bob文件夹)拥有完全的读/写权限。

这就是我所尝试的,尽管在尝试访问bob目录时,我遇到了一个拒绝访问的错误。我很感激任何关于如何做到这一点的建议。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::/mydir/devs/bob/*"
            ]
        }
    ]
}

2 回复 | 直到 8 年前

Felix 8 年前

这正是我所需要的。有些组合似乎违反直觉(为什么我两者都需要 ListAllBuckets ListBucket -但如果没有它,它似乎不起作用):

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action": [
            "s3:GetBucketLocation",
            "s3:ListAllMyBuckets"
        ],
        "Resource": [
            "arn:aws:s3:::*"
        ]
    },
    {
        "Effect": "Allow",
        "Action": [
            "s3:ListBucket"
        ],
        "Resource": [
            "arn:aws:s3:::mydir"
        ]
    },
    {
        "Effect": "Allow",
        "Action": [
            "s3:PutObject",
            "s3:GetObject",
            "s3:DeleteObject"
        ],
        "Resource": [
            "arn:aws:s3:::mydir/devs/bob/*"
        ]
    }
]
}

还有,我想需要一个桶(即, mydir mydir/devs/bob

Brandon Miller 8 年前

/mydir/devs/bob/*

/mydir/devs/bob/ ,但不包括钥匙 /mydir/devs/bob 本身,即您的“文件夹”。它还缺少一个bucket名称( bucket-name/mydir/devs/bob/* )这意味着用户不能对“文件夹”或其父文件夹使用列表操作。因此,Bob无法导航到他的文件夹。

AWS博客上提供了关于创建用户特定子文件夹的详细演练, here

允许Bob在控制台中查看存储桶列表所需的权限:

{
  "Sid": "AllowUserToSeeBucketListInTheConsole",
  "Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation"],
  "Effect": "Allow",
  "Resource": ["arn:aws:s3:::*"]
}

允许Bob通过在每个父目录上列出来导航到他的文件夹

{
  "Sid": "AllowRootAndHomeListingOfCompanyBucket",
  "Action": ["s3:ListBucket"],
  "Effect": "Allow",
  "Resource": ["arn:aws:s3:::bucket-name"],
  "Condition":{"StringEquals":{"s3:prefix":["","mydir/","mydir/devs/","mydir/devs/bob"],"s3:delimiter":["/"]}}
}

让Bob列出文件夹中的所有文件和文件夹

{
  "Sid": "AllowListingOfUserFolder",
  "Action": ["s3:ListBucket"],
  "Effect": "Allow",
  "Resource": ["arn:aws:s3:::bucket-name"],
  "Condition":{"StringLike":{"s3:prefix":["mydir/devs/bob/*"]}}
}

{
   "Sid": "AllowAllS3ActionsInUserFolder",
   "Action":["s3:*"],
   "Effect":"Allow",
   "Resource": ["arn:aws:s3:::bucket-name/mydir/devs/bob/*"]
}

这个组合看起来像这样:

{
 "Version":"2012-10-17",
 "Statement": [
   {
     "Sid": "AllowUserToSeeBucketListInTheConsole",
     "Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation"],
     "Effect": "Allow",
     "Resource": ["arn:aws:s3:::*"]
   },
   {
     "Sid": "AllowRootAndHomeListingOfCompanyBucket",
     "Action": ["s3:ListBucket"],
     "Effect": "Allow",
     "Resource": ["arn:aws:s3:::bucket-name"],
     "Condition":{"StringEquals":{"s3:prefix":["","mydir/","mydir/devs/","mydir/devs/bob"],"s3:delimiter":["/"]}}
   },
   {
     "Sid": "AllowListingOfUserFolder",
     "Action": ["s3:ListBucket"],
     "Effect": "Allow",
     "Resource": ["arn:aws:s3:::bucket-name"],
     "Condition":{"StringLike":{"s3:prefix":["mydir/devs/bob/*"]}}
   },
   {
      "Sid": "AllowAllS3ActionsInUserFolder",
      "Action":["s3:*"],
      "Effect":"Allow",
      "Resource": ["arn:aws:s3:::bucket-name/mydir/devs/bob/*"]
   }
 ]
}

${aws:username}