Amazon web services 如何在cfn模板中的bucketpolicy中指定多个Bucket?
希望这是一个快速简单的问题。以下是在cfn模板中为bucket设置bucketpolicy的示例Amazon web services 如何在cfn模板中的bucketpolicy中指定多个Bucket?,amazon-web-services,amazon-s3,amazon-cloudformation,Amazon Web Services,Amazon S3,Amazon Cloudformation,希望这是一个快速简单的问题。以下是在cfn模板中为bucket设置bucketpolicy的示例 "mybucketpolicy" : { "Type" : "AWS::S3::BucketPolicy", "Properties" : { "PolicyDocument" : { "Id" : "MyPolicy", "Statement" : [ { "Sid" : "ReadAccess",
"mybucketpolicy" : {
"Type" : "AWS::S3::BucketPolicy",
"Properties" : {
"PolicyDocument" : {
"Id" : "MyPolicy",
"Statement" : [ {
"Sid" : "ReadAccess",
"Action" : [ "s3:GetObject" ],
"Effect" : "Allow",
"Resource" : { "Fn::Join" : [
"", [ "arn:aws:s3:::", { "Ref" : "mybucket" } , "/*" ]
] },
"Principal" : {
"AWS" : { "Fn::GetAtt" : [ "mygroup", "Arn" ] }
}
} ]
},
"Bucket" : { "Ref" : "mybucket" }
}
}
}
如果我想将一个策略应用于除mybucket之外的另一个bucket,我将如何做到这一点
我是否必须:
1.创建一个全新的bucketpolicy,比如说“mybucketpolicy2”,它与上述内容非常相似?
2.只需使用新的bucket名称向上面的“Statement”数组中再添加一项?如果是,那么这将与上面的“Bucket”键冲突,不是吗?
3.还有别的办法吗
非常感谢您的帮助
--苏
PS:我在aws cfn论坛上问过同样的问题,但我逐渐意识到,我在SO上得到的答案比在aws论坛上更快。你不能将aws::S3::BucketPolicy资源附加到多个bucket上。要将策略附加到多个资源,您需要使用IAM资源。该资源用于通过IAM管理定义策略,并将其应用于各种资源。在我看来,IAM界面比旧式策略资源更强大、更灵活(但更复杂)。您不仅可以将单个策略应用于多个bucket,还可以将多个策略(语句)应用于多个bucket并分配给多个IAM用户/组/角色 您可以使用IAM组或用户授予对特定策略的访问权限,这些组或用户可以使用AWS::IAM::Group resources在CloudFormation模板中创建 根据您的需要调整此片段:
"GetS3ContentPolicy" : {
"Type" : "AWS::IAM::Policy",
"Properties" : {
"PolicyName" : "S3ContentPolicy",
"PolicyDocument" : {
"Statement" : [ {
"Effect" : "Allow",
"Action" : [
"s3:ListBucket"
],
"Resource" : [
{ "Fn::Join" : ["", [ "arn:aws:s3:::", { "Ref" : "PubS3Bucket" } ] ] },
{ "Fn::Join" : ["", [ "arn:aws:s3:::", { "Ref" : "SecretS3Bucket" } ] ] }
]
},
{
"Effect" : "Allow",
"Action" : [
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource" : [
{ "Fn::Join" : ["", [ "arn:aws:s3:::", { "Ref" : "PubS3Bucket" }, "/*" ] ] },
{ "Fn::Join" : ["", [ "arn:aws:s3:::", { "Ref" : "SecretS3Bucket" }, "/*" ] ] }
]
} ]
},
"Groups" : [
{ "Ref" : "ManagementInstancesGroup" },
{ "Ref" : "WebInstancesGroup" }
]
}
},