Clo*_*udy 13 amazon-s3 amazon-web-services aws-cli
我想限制对 S3 存储桶中单个文件夹的访问,并且我已经为其编写了 IAM。但是我仍然无法将文件上传/同步到此文件夹。这里bucket是存储桶名称,folder也是我想要授予访问权限的文件夹。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowUserToSeeBucketListInTheConsole",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::*"
]
},
{
"Sid": "AllowRootAndHomeListingOfBucket",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::bucket"
],
"Condition": {
"StringEquals": {
"s3:prefix": [
""
],
"s3:delimiter": [
"/"
]
}
}
},
{
"Sid": "AllowListingOfUserFolder",
"Action": [
"s3:ListBucket",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:HeadObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::bucket"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"folder/*"
]
}
}
}
]
}
请指出我哪里错了。
Acu*_*nus 16
此限制性 IAM 策略仅授予对特定存储桶中特定前缀的列表和上传访问权限。它还打算允许分段上传。
参考:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListBucket",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::mybucket",
"Condition": {
"StringLike": {
"s3:prefix": "my/prefix/is/this/*"
}
}
},
{
"Sid": "UploadObject",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts"
],
"Resource": [
"arn:aws:s3:::mybucket/my/prefix/is/this/*",
]
}
]
}
s3:ListBucket请注意,紧凑地指定资源"arn:aws:s3:::mybucket/my/prefix/is/this/*"是行不通的。
use*_*525 -2
我相信对于您描述的场景,AWS 建议使用存储桶策略。AWS IAM 应用于保护 AWS 资源(例如 S3 本身),而存储桶策略可用于保护 S3 存储桶和文档。
查看关于该主题的 AWS 博客文章:
| 归档时间: |
|
| 查看次数: |
20441 次 |
| 最近记录: |