如何为多个IAM用户设置S3策略，以使每个人只能访问其个人存储桶文件夹? [英] How to set up S3 Policies for multiple IAM users such that each individual only has access to their personal bucket folder?

问题描述

我有两个用户User1和User2，每个用户在AWS中都有一个IAM帐户.我有一个s3存储桶"external_bucket.frommycompany.com".在该存储桶中，是每个用户帐户"User1"和"User2"的文件夹.我只想向User1授予对User1的R/W访问权限，而对User2文件夹仅对User2的R/W访问权限.我不希望他们能够在external_bucket.frommycompany.com的根目录中看到彼此的文件夹.有没有办法设置他们的IAM策略，使之成为可能?

I have two users User1 and User2 that each have an IAM account in AWS. I have an s3 bucket "external_bucket.frommycompany.com". In that bucket is a folder for each user account "User1" and "User2". I want to grant R/W access to User1 to the User1 folder only and R/W access to User2 to the User2 folder only. I don't want them to be able to see each others' folders in the root directory of external_bucket.frommycompany.com. Is there a way to set up their IAM Policies such that this is possible?

我的目标是使我们的用户能够从诸如cloudberry之类的S3浏览器应用程序连接到S3存储桶，以便他们只能将文件上传和下载到其文件夹中.

My goal is to enable our users to connect to the S3 bucket from an S3 browser app like cloudberry so they can upload and download files to their folders only.

欢迎就最佳设计提出任何建议.

Any advice on the best design for this is welcome.

推荐答案

来自这样的事情应该可以允许User1仅访问User1的文件夹:

Something like this should work to allow User1 to only access User1's folder:

{
 "Version":"2012-10-17",
 "Statement": [
   {
     "Sid": "AllowUserToSeeBucketListInTheConsole",
     "Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation"],
     "Effect": "Allow",
     "Resource": ["arn:aws:s3:::*"]
   },
  {
     "Sid": "AllowRootAndHomeListingOfCompanyBucket",
     "Action": ["s3:ListBucket"],
     "Effect": "Allow",
     "Resource": ["arn:aws:s3:::my-company"],
     "Condition":{"StringEquals":{"s3:prefix":["","/"],"s3:delimiter":["/"]}}
    },
   {
     "Sid": "AllowListingOfUserFolder",
     "Action": ["s3:ListBucket"],
     "Effect": "Allow",
     "Resource": ["arn:aws:s3:::my-company"],
     "Condition":{"StringLike":{"s3:prefix":["user1/*"]}}
   },
   {
     "Sid": "AllowAllS3ActionsInUserFolder",
     "Effect": "Allow",
     "Action": ["s3:*"],
     "Resource": ["arn:aws:s3:::user1/*"]
   }
 ]
}

将其应用为User1的策略，并且他们只能访问user1/文件夹. "s3:prefix":["","/"]...部分可能可以更改，但是我对策略语言不够熟悉，无法知道如何操作.

Apply that as User1's policy, and they should only be able to access the user1/ folder. The "s3:prefix":["","/"]... part can probably be changed, but I'm not familiar enough with the policy language to know how.

如果在User2的策略​​中用user2代替user1，则User2应该只能访问user2/文件夹，依此类推.

If you substitute user2 for user1 in User2's policy, User2 should only be able to access the user2/ folder, and so on.

这篇关于如何为多个IAM用户设置S3策略，以使每个人只能访问其个人存储桶文件夹?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！