用于IAM访问的Amazon S3存储桶和文件夹策略? [英] Amazon S3 Bucket and Folder Policy for IAM access?

问题描述

您在理解S3 IAM策略和指令时遇到问题吗?无法完全了解他们的文档吗?我做到了

Do you have a problem understanding S3 IAM Policies and Directives ? Can't quite wrap your head around their documentation ? I did.

我遇到的情况是，我不得不从一个特定的文件夹中锁定几个IAM用户，除了一个以外，还有几个存储桶，而就我而言，他们的大多数解决方案和示例解决方案几乎都是泥泞的.在网上搜索并没有找到我想要的东西后，我发现了一种资源 (

I had a situation where I had to lock out several IAM users from a particular folder, and several buckets, except one, and most of their solutions and example solutions were about as clear as mud as far as I was concerned. After scouring the web and not finding what I was looking for I came upon a resource (http://blogs.aws.amazon.com/security/post/Tx1P2T3LFXXCNB5/Writing-IAM-policies-Grant-access-to-user-specific-folders-in-an-Amazon-S3-bucke) that was clear and actually helpful, but it did need some modification, and result is the policy you see below....

它的作用是允许用户访问存储桶中的特定文件夹，但拒绝访问同一存储桶中任何其他列出的文件夹.请注意，您将无法阻止他们查看文件夹的内容，也不会阻止他们看到还有其他存储桶，这无济于事.但是，他们将无权访问您选择的存储桶/文件夹.

What it does is allows the user access to a particular folder within a bucket, but DENIES access to any other listed folder in the same bucket. Mind you, you will not be able to block them from viewing the contents of the folder, nor will you block them from seeing that there are other buckets, that can't be helped. However, they won't have access to the bucket/folder of your choice.

推荐答案

{
 "Version":"2012-10-17",
 "Statement": [
   {
     "Sid": "AllowUserToSeeBucketListInTheConsole",
     "Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation"],
     "Effect": "Allow",
     "Resource": ["arn:aws:s3:::*"]
   },
  {
     "Sid": "AllowRootAndHomeListingOfCompanyBucket",
     "Action": ["s3:ListBucket"],
     "Effect": "Allow",
     "Resource": ["arn:aws:s3:::yourbucketname"],
     "Condition":{"StringEquals":{"s3:prefix":["","yourfoldername/"],"s3:delimiter":["/"]}}
    },
   {
     "Sid": "AllowListingOfUserFolder",
     "Action": ["s3:ListBucket"],
     "Effect": "Allow",
     "Resource": ["arn:aws:s3:::yourbucketname"],
     "Condition":{"StringLike":{"s3:prefix":["yourfoldername/*"]}}
   },
   {
     "Sid": "AllowAllS3ActionsInUserFolder",
     "Effect": "Allow",
     "Action": ["s3:GetObject"],
     "Resource": ["arn:aws:s3:::yourbucketname/yourfoldername/*"]
   },
{
      "Action": [
        "s3:*"
      ],
      "Sid": "Stmt1375581921000",
      "Resource": [
"arn:aws:s3:::yourbucketname/anotherfolder1/*",
"arn:aws:s3:::yourbucketname/anotherfolder2/*",
"arn:aws:s3:::yourbucketname/anotherfolder3/*",
"arn:aws:s3:::yourbucketname/anotherfolder4/*"
      ],
      "Effect": "Deny"
    }
 ]
}

这篇关于用于IAM访问的Amazon S3存储桶和文件夹策略?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！