具有IAM角色的s3的对象级别限制 [英] Object level restriction for s3 with IAM Role
本文介绍了具有IAM角色的s3的对象级别限制的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我正在尝试在S3的对象级别上限制用户访问.
I am trying to restrict user access at the object level in S3.
s3存储桶中有2个文件夹.我试图只允许访问对象中的一个文件夹.
There are 2 folders in the s3 bucket. I am trying to give access to only one folder among the object.
两个文件夹是:
- 经纪人
- 运营商
这是IAM角色政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::lodeobucket"
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:DeleteObject",
"s3:DeleteObjectVersion"
],
"Resource": "arn:aws:s3:::lodeobucket/broker/*"
}
]
}
但是用户也可以访问运营商文件夹.
But the user is able to access the carrier folder as well.
有人可以建议我想念什么吗?
Could anyone suggest what am I missing?
推荐答案
如果添加以下条件:
"Condition":{"StringLike":{"s3:prefix":["","broker/*"]}}
您将无法输入运营商文件夹.它仍将在控制台中可见.我认为您无法隐藏"其他文件夹,因为这会破坏控制台访问权限.
you user will not be able to enter carrier folder. It will still be visible in console. I don't think you can "hide" other folders, as this will break console access.
您可以尝试以下政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::lodeobucket",
"Condition":{"StringLike":{"s3:prefix":["","broker/*"]}}
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:DeleteObject",
"s3:DeleteObjectVersion"
],
"Resource": "arn:aws:s3:::lodeobucket/broker/*"
}
]
}
这篇关于具有IAM角色的s3的对象级别限制的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文