Sil*_*ser 5 amazon-s3 amazon-web-services aws-cloudformation
下面是一个在cfn模板中为A桶设置bucketpolicy的例子。
"mybucketpolicy" : {
"Type" : "AWS::S3::BucketPolicy",
"Properties" : {
"PolicyDocument" : {
"Id" : "MyPolicy",
"Statement" : [ {
"Sid" : "ReadAccess",
"Action" : [ "s3:GetObject" ],
"Effect" : "Allow",
"Resource" : { "Fn::Join" : [
"", [ "arn:aws:s3:::", { "Ref" : "mybucket" } , "/*" ]
] },
"Principal" : {
"AWS" : { "Fn::GetAtt" : [ "mygroup", "Arn" ] }
}
} ]
},
"Bucket" : { "Ref" : "mybucket" }
}
}
}
如果我想将策略应用到另一个存储桶,除了 mybucket,我该怎么做?
我一定要吗:
PS:我在 aws cfn 论坛上问过同样的问题,但我开始意识到我在 SO 上比在 aws 论坛上得到答案更快。
您不能将 AWS::S3::BucketPolicy 资源附加到多个存储桶。要将策略附加到多个资源,您需要使用 IAM 资源。在AWS :: IAM ::政策资源用于通过IAM管理定义策略并将它们应用到各种资源。在我看来,IAM 接口比旧式策略资源更强大和灵活(但更复杂)。您不仅可以将单个策略应用于多个存储桶,还可以将多个策略(语句)应用于多个存储桶并分配给多个 IAM 用户/组/角色。
您可以使用 IAM 组或可以在 CloudFormation 模板中创建的用户授予对特定策略的访问权限,例如。AWS::IAM::Group 资源。
根据您的需要调整此代码段:
"GetS3ContentPolicy" : {
"Type" : "AWS::IAM::Policy",
"Properties" : {
"PolicyName" : "S3ContentPolicy",
"PolicyDocument" : {
"Statement" : [ {
"Effect" : "Allow",
"Action" : [
"s3:ListBucket"
],
"Resource" : [
{ "Fn::Join" : ["", [ "arn:aws:s3:::", { "Ref" : "PubS3Bucket" } ] ] },
{ "Fn::Join" : ["", [ "arn:aws:s3:::", { "Ref" : "SecretS3Bucket" } ] ] }
]
},
{
"Effect" : "Allow",
"Action" : [
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource" : [
{ "Fn::Join" : ["", [ "arn:aws:s3:::", { "Ref" : "PubS3Bucket" }, "/*" ] ] },
{ "Fn::Join" : ["", [ "arn:aws:s3:::", { "Ref" : "SecretS3Bucket" }, "/*" ] ] }
]
} ]
},
"Groups" : [
{ "Ref" : "ManagementInstancesGroup" },
{ "Ref" : "WebInstancesGroup" }
]
}
},