Mil*_*rks 7 policy amazon-s3 amazon-iam
您是否在理解S3 IAM策略和指令时遇到问题?不能完全围绕他们的文档?我做到了.
我有一种情况,我不得不从一个特定的文件夹中锁定几个IAM用户,除了一个,还有几个桶,而且他们的大多数解决方案和示例解决方案都像我所关注的一样清晰.在搜索网络而没有找到我要找的东西后,我找到了一个资源(http://blogs.aws.amazon.com/security/post/Tx1P2T3LFXXCNB5/Writing-IAM-policies-Grant-access-to-user-特定文件夹在亚马逊S3-bucke中,这是明确的,实际上有用,但它确实需要一些修改,结果是你在下面看到的政策....
它的作用是允许用户访问存储桶中的特定文件夹,但是DENIES可以访问同一存储桶中的任何其他列出的文件夹.请注意,您将无法阻止他们查看文件夹的内容,也不会阻止他们看到有其他存储桶,这是无法帮助的.但是,他们无法访问您选择的存储桶/文件夹.
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowUserToSeeBucketListInTheConsole",
"Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::*"]
},
{
"Sid": "AllowRootAndHomeListingOfCompanyBucket",
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::yourbucketname"],
"Condition":{"StringEquals":{"s3:prefix":["","yourfoldername/"],"s3:delimiter":["/"]}}
},
{
"Sid": "AllowListingOfUserFolder",
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::yourbucketname"],
"Condition":{"StringLike":{"s3:prefix":["yourfoldername/*"]}}
},
{
"Sid": "AllowAllS3ActionsInUserFolder",
"Effect": "Allow",
"Action": ["s3:GetObject"],
"Resource": ["arn:aws:s3:::yourbucketname/yourfoldername/*"]
},
{
"Action": [
"s3:*"
],
"Sid": "Stmt1375581921000",
"Resource": [
"arn:aws:s3:::yourbucketname/anotherfolder1/*",
"arn:aws:s3:::yourbucketname/anotherfolder2/*",
"arn:aws:s3:::yourbucketname/anotherfolder3/*",
"arn:aws:s3:::yourbucketname/anotherfolder4/*"
],
"Effect": "Deny"
}
]
}
| 归档时间: |
|
| 查看次数: |
4386 次 |
| 最近记录: |