授予访问权限以读取Amazon S3存储桶中的子目录 [英] Grant access to read a subdirectory within an Amazon S3 bucket

问题描述

我以前从未使用过AWS S3。我们使用它来自动备份客户端的通话记录。我们的一位出于审核目的的客户需要访问他们的录音。

I've never used AWS S3 before. We use it to automatically backup call recordings for clients. One of our clients for audit purposes needs access to their recordings.

我正在使用客户端Cyber​​Duck作为访问文件的一种方式。

I am using the client CyberDuck as a way to access the files.

我只想让他们访问他们的文件。

I want to give them access to only their files.

我们的文件结构如下：

recordings/12345/COMPANYNAMEHERE/

I刚刚了解到您是根据脚本和策略构建并执行操作的。因此，我进行了一些研究，并试图建立一个研究，但是我获得的访问被拒绝。

I just learned that you build and do things based on scripts and policies. So I did some research and tried to build one but I get an access denied on listing.

很好奇我是否正确地处理了这个问题。

Just curious if I am going about this correctly.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::recordings/12345/COMPANYNAMEHERE",
                "arn:aws:s3:::recordings/12345/COMPANYNAMEHERE/*"
            ]
        }
    ]
}

推荐答案

您只给了他们具有 ListAllMyBuckets 的权限，这意味着他们只能列出您的存储桶的名称，而不能做其他任何事情。

You have only given them permission to ListAllMyBuckets, which means they can only list the names of your buckets, and can't do anything else.

如果您已经为他们创建了一个IAM用户，那么给他们提供此策略将允许他们列出和检索他们的文件，但只能从给定的目录中（或更准确地说，是使用给定的首选项） ix）：

If you have already created an IAM User for them, then giving them this policy would allow them to list and retrieve their files, but only from the given directory (or, more accurately, with the given prefix):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:ListBucket"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::my-bucket"
            ],
            "Condition": {
                "StringLike": {
                    "s3:prefix": [
                        "recordings/123/*"
                    ]
                }
            }
        },
        {
            "Action": [
                "s3:GetObject"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::my-bucket/recordings/123/*"
            ]
        }
    ]
}

如果您与客户经常这样做，则可以使用 IAM策略变量创建一个替换其用户名的规则：

If you do this a lot with customers, then you can use IAM Policy Variables to create a rule that substitutes their username:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:ListBucket"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::my-bucket"
            ],
            "Condition": {
                "StringLike": {
                    "s3:prefix": [
                        "recordings/${aws:username}/*"
                    ]
                }
            }
        },
        {
            "Action": [
                "s3:GetObject"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::my-bucket/recordings/${aws:username}/*"
            ]
        }
    ]
}

这篇关于授予访问权限以读取Amazon S3存储桶中的子目录的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！