我想限制对 S3 存储桶中单个文件夹的访问,我已经为其编写了 IAM。但是我仍然无法将文件上传/同步到此文件夹。这里,
bucket
是存储桶名称,folder
是我想要授予访问权限的文件夹。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowUserToSeeBucketListInTheConsole",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::*"
]
},
{
"Sid": "AllowRootAndHomeListingOfBucket",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::bucket"
],
"Condition": {
"StringEquals": {
"s3:prefix": [
""
],
"s3:delimiter": [
"/"
]
}
}
},
{
"Sid": "AllowListingOfUserFolder",
"Action": [
"s3:ListBucket",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:HeadObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::bucket"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"folder/*"
]
}
}
}
]
}
有错误的地方请指出。
此限制性 IAM 策略仅授予对特定存储桶中特定前缀的列表和上传访问权限。它还打算允许分段上传。
参考资料:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListBucket",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::mybucket",
"Condition": {
"StringLike": {
"s3:prefix": "my/prefix/is/this/*"
}
}
},
{
"Sid": "UploadObject",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts"
],
"Resource": [
"arn:aws:s3:::mybucket/my/prefix/is/this/*",
]
}
]
}
请注意,将
s3:ListBucket
资源紧凑地指定为 "arn:aws:s3:::mybucket/my/prefix/is/this/*"
不起作用。
既然你要求建议,你错在哪里: 1> 在AllowListingOfUserFolder中,您已使用对象作为资源,但您使用了存储桶级别操作,并且“s3:prefix”不适用于对象级别API。
请参阅此处列出的示例政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListObjectsInBucket",
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::bucket-name"]
},
{
"Sid": "AllObjectActions",
"Effect": "Allow",
"Action": "s3:*Object",
"Resource": ["arn:aws:s3:::bucket-name/*"]
}
]
}
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_s3_rw-bucket.html
我相信对于您描述的场景,AWS 建议使用存储桶策略。 AWS IAM 应用于保护 AWS 资源(例如 S3 本身),而存储桶策略可用于保护 S3 存储桶和文档。
查看关于该主题的 AWS 博客文章: