Permissions AWS中的细粒度策略文档权限
我希望能够允许通过IAM创建的用户能够在管理控制台中查看一个特定的bucket。此外,我想将其限制为bucket中的一个文件夹,这样权限将是: S3控制台访问我的存储桶/文件夹/* 如何使用策略生成器执行此操作?我目前有:Permissions AWS中的细粒度策略文档权限,permissions,amazon-s3,authorization,amazon-web-services,group-policy,Permissions,Amazon S3,Authorization,Amazon Web Services,Group Policy,我希望能够允许通过IAM创建的用户能够在管理控制台中查看一个特定的bucket。此外,我想将其限制为bucket中的一个文件夹,这样权限将是: S3控制台访问我的存储桶/文件夹/* 如何使用策略生成器执行此操作?我目前有: { "Statement": [ { "Effect": "Allow", "Action": "s3:*", "Resource": "*" } ] } 但是,当我修改资源位置--arn:aws:s3:::my
{
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
}
]
}
但是,当我修改资源位置--
arn:aws:s3:::my bucket/folder
,它会阻止用户使用控制台。这可能吗?我需要做些什么才能解决这个问题?这方面的政策提醒我要做一个Euler近似,但我就是这样做的(有注释要解释):
这方面的政策提醒我做Euler近似,但我就是这样做的(要解释的话):
{
"Statement": [
{ // first, allow unlimited access for S3
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
},
{ // second, deny access to all buckets except for the particular bucket
"Action": [
"s3:*"
],
"Effect": "Deny",
"Resource": [
list-of-my-other-buckets
]
},
{ // third, since we've already given * permissions, the bucket has full
// permissions, and we need to restrcit all the permissions we don't want to give
"Action": [
"s3:AbortMultipartUpload",
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetBucketAcl",
"s3:GetBucketNotification",
"s3:GetBucketPolicy",
"s3:GetBucketRequestPayment",
"s3:GetObjectAcl",
"s3:GetObjectVersion",
"s3:GetObjectVersionAcl",
"s3:PutBucketAcl",
"s3:PutBucketNotification",
"s3:PutBucketPolicy",
"s3:PutBucketRequestPayment",
"s3:PutBucketVersioning",
"s3:PutObjectAcl",
"s3:PutObjectVersionAcl"
],
"Effect": "Deny",
"Resource": [
"arn:aws:s3:::my-bucket/*"
]
}
]
}