我已经能够生成一个只提供对特定存储桶的访问权限的用户策略,但是在尝试了所有内容之后(包括这篇文章:是否有限制访问的S3策略只能查看/访问一个存储桶?).
问题:我无法将桶的列表限制为只有一个桶.出于各种原因,我不希望列表显示除指定的桶之外的任何桶.
我尝试了各种政策,但无济于事.这是我的最新策略JSON,它正在限制操作,但没有列出:
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Deny",
"Action": [
"s3:ListBucket"
],
"NotResource": [
"arn:aws:s3:::acgbu-acg",
"arn:aws:s3:::acgbu-acg/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::acgbu-acg",
"arn:aws:s3:::acgbu-acg/*"
]
}
]
}
任何帮助将不胜感激.我开始怀疑它是否可能.
我试图限制我的存储桶以拒绝所有内容,但允许从一个特定 IAM 用户上传并根据referer标头获取对象。这是我的政策:
{
"Version": "2012-10-17",
"Id": "Meteor refer policy",
"Statement": [
{
"Sid": "allow upload",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::556754141176:user/username"
},
"Action": "s3:PutObject*",
"Resource": [
"arn:aws:s3:::bucketname",
"arn:aws:s3:::bucketname/*"
]
},
{
"Sid": "Allow get",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "bucketname/*",
"Condition": {
"StringLike": {
"aws:Referer": [
"http://myapp.com*",
"http://localhost*"
]
}
}
},
{
"Sid": "Explicit deny",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "bucketname/*",
"Condition": {
"StringNotLike": {
"aws:Referer": [
"http://myapp.com*",
"http://localhost*"
]
}
} …有没有办法指定存储桶创建策略,以便具有指定角色的用户只能创建具有指定名称模式的存储桶,而company-dbbackup-*不能创建其他名称模式?
例如,用户将被允许创建名称为company-dbbackup-March2017和 的存储桶company-dbbackup-fullarchive,但不允许创建存储桶test-bucketname-invalid。
我现在拥有的:
{
"Sid": "Stmt1493212897117",
"Action": [
"s3:CreateBucket",
"s3:ListAllMyBuckets"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::*"
}
但这允许我创建具有任何名称的存储桶。