AWS:限制IAM用户访问特定文件夹中的S3存储桶 [英] AWS: Restricting IAM User to Specific Folder in S3 Bucket
问题描述
所以,我一直在试图定义一个策略来限制一组IAM用户对特定文件夹中的S3存储桶,但没有成功。我riffed关在这篇博客文章中概述的政策。 <一href="http://blogs.aws.amazon.com/security/post/Tx1P2T3LFXXCNB5/Writing-IAM-policies-Grant-access-to-user-specific-folders-in-an-Amazon-S3-bucke" rel="nofollow">http://blogs.aws.amazon.com/security/post/Tx1P2T3LFXXCNB5/Writing-IAM-policies-Grant-access-to-user-specific-folders-in-an-Amazon-S3-bucke
So I've been trying to define a policy to restrict a group of IAM users to a particular folder in an S3 bucket with no success. I've riffed off the policy outlined in this blog post. http://blogs.aws.amazon.com/security/post/Tx1P2T3LFXXCNB5/Writing-IAM-policies-Grant-access-to-user-specific-folders-in-an-Amazon-S3-bucke
具体我使用了以下内容:
Specifically I'm using the following:
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowUserToSeeBucketListInTheConsole",
"Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::*"]
},
{
"Sid": "AllowRootAndHomeListingOfCompanyBucket",
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::mybucket"],
"Condition":{"StringEquals":{"s3:delimiter":["/"]}}
},
{
"Sid": "AllowListingOfUserFolder",
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::mybucket"],
"Condition":{"StringLike":{"s3:prefix":["myfolder"]}}
},
{
"Sid": "AllowAllS3ActionsInUserFolder",
"Effect": "Allow",
"Action": ["s3:*"],
"Resource": ["arn:aws:s3:::mybucket/myfolder/*"]
}
]
}
不幸的是这一政策由于某种原因,允许用户浏览,不仅到指定的文件夹,但其他文件夹present在同一个桶。如何限制用户以这样的方式即它们只能导航到指定的文件夹中?
Unfortunately this policy for some reason allows users to navigate not only into the specified folder but other folders present in the same bucket. How do I restrict users in such a way that they can only navigate into the specified folder?
推荐答案
我以前回答过这个,但我会从这里再回答。这是最好创建一个用户,然后将它们添加到一个组,然后分配给该组R / W的水桶。这是怎么写的政策一个典型的例子
I've answered this before, but I'll answer again from here. It's best to create a user then add them to a group then assign the group r/w to the bucket. This is a typical example of how write the policy
{
"Statement": [
{
"Sid": "sidgoeshere",
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:ListBucket",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::s3bucket",
"arn:aws:s3:::s3bucket/*"
]
}
]
}
这篇关于AWS:限制IAM用户访问特定文件夹中的S3存储桶的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!