Amazon s3 限制对S3 bucket中单个文件夹的访问_Amazon S3_Aws Cli

Amazon s3 限制对S3 bucket中单个文件夹的访问

amazon-s3

Amazon s3 限制对S3 bucket中单个文件夹的访问,amazon-s3,aws-cli,Amazon S3,Aws Cli,我想限制对S3 bucket中单个文件夹的访问我已经为同样的角色写了一个IAM角色。不知何故，我没有将文件上载/同步到此文件夹。在这里，bucket是bucket的名称，folder是我想要访问的文件夹 { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowUserToSeeBucketListInTheConsole", "Action": [

我想限制对S3 bucket中单个文件夹的访问

我已经为同样的角色写了一个IAM角色。不知何故，我没有将文件上载/同步到此文件夹。在这里，bucket是bucket的名称，folder是我想要访问的文件夹

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowUserToSeeBucketListInTheConsole",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:GetBucketLocation"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::*"
            ]
        },
        {
            "Sid": "AllowRootAndHomeListingOfBucket",
            "Action": [
                "s3:ListBucket"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::bucket"
            ],
            "Condition": {
                "StringEquals": {
                    "s3:prefix": [
                        ""
                    ],
                    "s3:delimiter": [
                        "/"
                    ]
                }
            }
        },
        {
            "Sid": "AllowListingOfUserFolder",
            "Action": [
                "s3:ListBucket",
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:GetObject",
                "s3:GetObjectAcl",
                "s3:HeadObject"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::bucket"
            ],
            "Condition": {
                "StringLike": {
                    "s3:prefix": [
                        "folder/*"
                    ]
                }
            }
        }
    ]
}

请指出我错在哪里。

我相信对于您描述的场景，AWS推荐了Bucket策略。AWS IAM应用于保护AWS资源，如S3本身，而Bucket策略可用于保护S3 Bucket和文档

查看AWS关于此主题的博客帖子：

既然您要求提出建议，您错在哪里： 1> 在AllowListingOfUserFolder中，您使用了对象作为资源，但使用了bucket级别的操作，“s3:prefix”将不适用于对象级别的API

请参考此处列出的示例策略：

希望这有帮助

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ListObjectsInBucket",
            "Effect": "Allow",
            "Action": ["s3:ListBucket"],
            "Resource": ["arn:aws:s3:::bucket-name"]
        },
        {
            "Sid": "AllObjectActions",
            "Effect": "Allow",
            "Action": "s3:*Object",
            "Resource": ["arn:aws:s3:::bucket-name/*"]
        }
    ]
}

此限制性IAM策略仅授予对特定存储桶中特定前缀的列表和上载访问权。它还打算允许多部分上传

参考资料：

请注意，将

s3:ListBucket

资源紧凑地指定为

“arn:aws:s3:：：mybucket/my/prefix/is/this/*”

不起作用。

请编辑您的问题并添加您尝试执行的操作的详细信息（例如显示您用于上载/同步的命令）以及出现的错误消息。另外，您使用的是IAM用户还是IAM角色？如果它是一个角色，您如何使用该角色（例如，是将其分配给EC2实例，还是假定它）？

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ListBucket",
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::mybucket",
            "Condition": {
                "StringLike": {
                    "s3:prefix": "my/prefix/is/this/*"
                }
            }
        },
        {
            "Sid": "UploadObject",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:AbortMultipartUpload",
                "s3:ListMultipartUploadParts"
            ],
            "Resource": [
                "arn:aws:s3:::mybucket/my/prefix/is/this/*",
            ]
        }
    ]
}