Amazon s3 限制对S3 bucket中单个文件夹的访问
我想限制对S3 bucket中单个文件夹的访问 我已经为同样的角色写了一个IAM角色。不知何故,我没有将文件上载/同步到此文件夹。在这里,bucket是bucket的名称,folder是我想要访问的文件夹Amazon s3 限制对S3 bucket中单个文件夹的访问,amazon-s3,aws-cli,Amazon S3,Aws Cli,我想限制对S3 bucket中单个文件夹的访问 我已经为同样的角色写了一个IAM角色。不知何故,我没有将文件上载/同步到此文件夹。在这里,bucket是bucket的名称,folder是我想要访问的文件夹 { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowUserToSeeBucketListInTheConsole", "Action": [
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowUserToSeeBucketListInTheConsole",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::*"
]
},
{
"Sid": "AllowRootAndHomeListingOfBucket",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::bucket"
],
"Condition": {
"StringEquals": {
"s3:prefix": [
""
],
"s3:delimiter": [
"/"
]
}
}
},
{
"Sid": "AllowListingOfUserFolder",
"Action": [
"s3:ListBucket",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:HeadObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::bucket"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"folder/*"
]
}
}
}
]
}
请指出我错在哪里。我相信对于您描述的场景,AWS推荐了Bucket策略。AWS IAM应用于保护AWS资源,如S3本身,而Bucket策略可用于保护S3 Bucket和文档 查看AWS关于此主题的博客帖子:
既然您要求提出建议,您错在哪里: 1> 在AllowListingOfUserFolder中,您使用了对象作为资源,但使用了bucket级别的操作,“s3:prefix”将不适用于对象级别的API 请参考此处列出的示例策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListObjectsInBucket",
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::bucket-name"]
},
{
"Sid": "AllObjectActions",
"Effect": "Allow",
"Action": "s3:*Object",
"Resource": ["arn:aws:s3:::bucket-name/*"]
}
]
}
此限制性IAM策略仅授予对特定存储桶中特定前缀的列表和上载访问权。它还打算允许多部分上传 参考资料:
请注意,将
s3:ListBucket
资源紧凑地指定为“arn:aws:s3:::mybucket/my/prefix/is/this/*”
不起作用。请编辑您的问题并添加您尝试执行的操作的详细信息(例如显示您用于上载/同步的命令)以及出现的错误消息。另外,您使用的是IAM用户还是IAM角色?如果它是一个角色,您如何使用该角色(例如,是将其分配给EC2实例,还是假定它)?
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListBucket",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::mybucket",
"Condition": {
"StringLike": {
"s3:prefix": "my/prefix/is/this/*"
}
}
},
{
"Sid": "UploadObject",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts"
],
"Resource": [
"arn:aws:s3:::mybucket/my/prefix/is/this/*",
]
}
]
}