S3存储桶的IAM组策略:拒绝文件夹但不拒绝文件 [英] IAM Group Policy for S3 bucket: deny folders but not files

问题描述

此问题引用了相同的 aws博客我一直在尝试利用它来满足我的需求，但没有成功.我一直在对该解决方案及其所引用的示例策略的解决方案进行整日的修改，但均未获得成功.我基本上是希望允许不同的IAM组完全访问存储桶中的公共子文件夹对象，同时根据组成员身份选择性地允许/拒绝对其他子文件夹对象的访问.

this question references the same aws blog I've been trying to leverage in order to meet my needs, but without any success. I've been hacking on the solution in that answer AND the example policies it references all day without any success. I'm basically looking to allow different IAM groups full access to a common subfolder object within a bucket while selectively allowing/denying access to OTHER subfolders object based on group membership.

桶结构:
我的财务桶\
my-finance-bucket \ files
我的财务时段\我们的财务团队\
我的财务时段\我们的财务团队\文件
我的财务时段\我们的财务团队\报告\
我的财务时段\我们的财务团队\报告\文件
我的财务时段\我们的财务团队\报告\报告1-名称\
我的财务时段\我们的财务团队\报告\报告1-名称\文件
我的财务时段\我们的财务团队\报告\报告2-名称\
我的财务时段\我们的财务团队\报告\报告2-名称\文件
我的财务时段\我们的财务团队\数据\
我的财务时段\我们的财务团队\数据\文件
我的财务桶\我们的财务团队\东西\
my-finance-bucket \ Our-Finance-Team \ Stuff \ files

Bucket structure:
my-finance-bucket\
my-finance-bucket\files
my-finance-bucket\Our-Finance-Team\
my-finance-bucket\Our-Finance-Team\files
my-finance-bucket\Our-Finance-Team\Reports\
my-finance-bucket\Our-Finance-Team\Reports\files
my-finance-bucket\Our-Finance-Team\Reports\report1-name\
my-finance-bucket\Our-Finance-Team\Reports\report1-name\files
my-finance-bucket\Our-Finance-Team\Reports\report2-name\
my-finance-bucket\Our-Finance-Team\Reports\report2-name\files
my-finance-bucket\Our-Finance-Team\Data\
my-finance-bucket\Our-Finance-Team\Data\files
my-finance-bucket\Our-Finance-Team\Stuff\
my-finance-bucket\Our-Finance-Team\Stuff\files

我什至不确定我要做什么，但是我想创建3个名为:全部财务，财务数据和财务报告的组.

I'm not even sure that what I'm looking to do is possible, but I want to create 3 groups named: finance-all, finance-data, and finance-reports.

我希望所有3个群组都可以访问:
我的财务桶\
my-finance-bucket \ files
我的财务时段\我们的财务团队\
我的财务时段\我们的财务团队\文件
我的财务桶\我们的财务团队\东西\
my-finance-bucket \ Our-Finance-Team \ Stuff \ files

I want all 3 groups to have access to:
my-finance-bucket\
my-finance-bucket\files
my-finance-bucket\Our-Finance-Team\
my-finance-bucket\Our-Finance-Team\files
my-finance-bucket\Our-Finance-Team\Stuff\
my-finance-bucket\Our-Finance-Team\Stuff\files

此外，我还有以下要求:
Finance-all组具有s3:*允许访问my-finance-bucket下的所有内容
(我认为这很容易，并且可以作为允许s3:*到arn:aws:s3 ::://my-finance-bucket和arn:aws:s3 ::://my-finance-桶/*)

additionally, I have these requirements:
finance-all group has s3:* allow access to EVERYTHING under my-finance-bucket
(This is easy I think, and can probably stand alone as a separate group policy allowing s3:* to arn:aws:s3:::/my-finance-bucket and arn:aws:s3:::/my-finance-bucket/*)

财务数据组具有上面列出的共享访问权限，加上s3:* Object *允许执行以下操作:
我的财务时段\我们的财务团队\数据\
我的财务时段\我们的财务团队\数据\文件
无法访问未指定的其他任何内容

finance-data group has the shared access listed above plus s3:*Object* allow to:
my-finance-bucket\Our-Finance-Team\Data\
my-finance-bucket\Our-Finance-Team\Data\files
no access to anything else that isn't specified

finance-reports具有上面列出的共享访问权限，加上s3:* Object *允许:
我的财务时段\我们的财务团队\报告\
我的财务时段\我们的财务团队\报告\文件
我的财务时段\我们的财务团队\报告\报告1-名称\
我的财务时段\我们的财务团队\报告\报告1-名称\文件
我的财务时段\我们的财务团队\报告\报告2-名称\
我的财务时段\我们的财务团队\报告\报告2-名称\文件
不能访问未指定的其他任何内容

finance-reports has the shared access listed above, plus s3:*Object* allow to:
my-finance-bucket\Our-Finance-Team\Reports\
my-finance-bucket\Our-Finance-Team\Reports\files
my-finance-bucket\Our-Finance-Team\Reports\report1-name\
my-finance-bucket\Our-Finance-Team\Reports\report1-name\files
my-finance-bucket\Our-Finance-Team\Reports\report2-name\
my-finance-bucket\Our-Finance-Team\Reports\report2-name\files
no access to anything else that isn't specified

我知道我必须首先允许"ListAllMyBuckets"，结果，表示文件夹和文件的对象将递归地显示在所有文件夹中并且可以列出.尽管不是最佳选择，但它并不是秀场上的阻碍，因为对于不在其适当组中的用户，查看，获取或放置文件都将被拒绝.

I'm aware that I will have to start with allowing "ListAllMyBuckets" and that as a consequence the objects representing the folders and files will be visible and listable for all folders, recursively. Though sub-optimal, it's not a show stopper since viewing, getting or putting files is to be denied for users not in their appropriate groups.

我知道大多数人会问你做了什么"，以试图纠正我已经完成的任何工作-但是，我经历了数十次迭代，甚至没有什么比我看上去的要好去做.链接的答案和链接的aws博客文章中列出的代码是我以此为出发点的起点，并且可以作为基准

I realize most folks will ask "what have you done" in attempt to help correct whatever work I've done already - however I've gone through literally dozens of iterations and nothing has even come close to what I'm looking to do. the code listed in the linked answer and the linked aws blog post have been my start points for hacking on this and can serve as a baseline

    {
 "Version":"2012-10-17",
 "Statement": [
   {
     "Sid": "AllowUserToSeeBucketListInTheConsole",
     "Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation"],
     "Effect": "Allow",
     "Resource": ["arn:aws:s3:::*"]
   },
  {
     "Sid": "AllowRootAndHomeListingOfCompanyBucket",
     "Action": ["s3:ListBucket"],
     "Effect": "Allow",
     "Resource": ["arn:aws:s3:::yourbucketname"],
     "Condition":{"StringEquals":{"s3:prefix":["","yourfoldername/"],"s3:delimiter":["/"]}}
    },
   {
     "Sid": "AllowListingOfUserFolder",
     "Action": ["s3:ListBucket"],
     "Effect": "Allow",
     "Resource": ["arn:aws:s3:::yourbucketname"],
     "Condition":{"StringLike":{"s3:prefix":["yourfoldername/*"]}}
   },
   {
     "Sid": "AllowAllS3ActionsInUserFolder",
     "Effect": "Allow",
     "Action": ["s3:GetObject"],
     "Resource": ["arn:aws:s3:::yourbucketname/yourfoldername/*"]
   },
{
      "Action": [
        "s3:*"
      ],
      "Sid": "Stmt1375581921000",
      "Resource": [
"arn:aws:s3:::yourbucketname/anotherfolder1/*",
"arn:aws:s3:::yourbucketname/anotherfolder2/*",
"arn:aws:s3:::yourbucketname/anotherfolder3/*",
"arn:aws:s3:::yourbucketname/anotherfolder4/*"
      ],
      "Effect": "Deny"
    }
 ]
}

推荐答案

在放弃之前，我最终花了大约3天的时间，并说服了对此有业务需求的人，我可以在半个小时，如果他们让我重新整理一下水桶的话.他们同意，所以我最终只是在存储桶中创建子文件夹"，然后创建了IAM组以授予对每个单独的子文件夹"的访问权限.

I ended up spending about 3 days on this before I gave up and convinced the person with the business need for this that I could get the whole thing done in a half hour if they would let me re-organize the bucket. They agreed, so I ended up just creating "subfolders" in the bucket and then just created IAM groups granting access to each individual "subfolder".

所以我像这样重组了存储桶:

So I reorganized the bucket like so:

我的财务桶/
my-finance-bucket/文件
我的财务桶/共享的/
my-finance-bucket/共享/文件
my-finance-bucket/
my-finance-bucket/数据/
my-finance-bucket/数据/文件
my-finance-bucket/报告/
my-finance-bucket/报告/文件

my-finance-bucket/
my-finance-bucket/files
my-finance-bucket/shared/
my-finance-bucket/shared/files
my-finance-bucket/
my-finance-bucket/data/
my-finance-bucket/data/files
my-finance-bucket/reports/
my-finance-bucket/reports/files

按照这种模式，我压缩了现有的子文件夹"，例如
我的财务存储桶/一些报告/*
我的财务时段/其他报告/*
降至
我的财务存储桶/报告/一些报告/*
my-finance-bucket/reports/some-other-report/*

Following this pattern, I condensed existing "subfolders" such as
my-finance-bucket/some-report/*
my-finance-bucket/some-other-report/*
down to
my-finance-bucket/reports/some-report/*
my-finance-bucket/reports/some-other-report/*

，用于压缩/shared/和/data/

and the same for condensing things under /shared/ and /data/

完成此操作后，我能够依靠其固有的拒绝功能，并使用IAM组策略简单地允许对单个顶层文件夹的访问.通过简单地将用户添加到这些组中，我能够选择性地授予对某些子文件夹而非其他子文件夹的访问权限.

This being done, I was able to rely on the inherent deny functionality and simply carve out allow access for the individual top level folders using IAM group policies. By simply adding users to those groups, I was able to selectively grant access to some subfolders and not others.

我创建的用于访问每个单独存储桶的所有策略均遵循以下格式:

All of the policies I created for access to each individual bucket followed this format:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "AllowListAllMyBuckets",
        "Effect": "Allow",
        "Action": [
            "s3:ListAllMyBuckets",
            "s3:GetBucketLocation"
        ],
        "Resource": [
            "arn:aws:s3:::*"
        ]
    },
    {
        "Sid": "AllowedListAccess",
        "Effect": "Allow",
        "Action": [
            "s3:ListBucket",
            "s3:GetBucketAcl",
            "s3:GetBucketLocation"
        ],
        "Resource": [
            "arn:aws:s3:::my-finance-bucket",
            "arn:aws:s3:::my-finance-bucket/shared"
        ]
    },
    {
        "Sid": "AllowedObjectAccess",
        "Effect": "Allow",
        "Action": [
            "s3:*Object*"
        ],
        "Resource": [
            "arn:aws:s3:::my-finance-bucket/shared/*"
        ]
    }
]

}

请注意，由于/*允许访问列表和对象，因此对顶层子文件夹具有访问权限的人也可以访问这些子文件夹.如果需要嵌套的子文件夹访问，我相信它将与原始问题相同.但是，我认为，通过对该存储桶进行简单直接的重组，我可以明确拒绝子文件夹，而使用其他明确允许这些子文件夹的组来实现此目的.我敢肯定，这对于最初的问题也可以解决，但是存储桶的组织方式将使创建和维护策略成为一项繁重的任务.

Note that by virtue of the /* allows for list and object access, that the subfolders are also accessible to folks with access to the top level subfolders. Should nested subfolder access have been required, I believe it would have been the same issue as the original question. BUT, I think that with the simple and straightforward re-organization of this bucket I could have made it happen with explicit denies to the subfolders, and additional groups with explicit allows to those same subfolders. I'm fairly certain this also would have worked for the original question, but the way the bucket was organized would have made it an onerous task to create and maintain the policies.

最后，值得注意的是，此方法使无法拒绝对文件夹"和文件"的列表访问.这意味着，尽管共享组中的用户可以看到数据和报表文件夹中文件和文件夹的名称，但他们无法执行任何其他操作(仅获取或放置aka列表访问权限，不读取，不写入)

Last, it's worth noting that this method makes it impossible to deny list access to "folders" and "files". This means that while users in the shared group can see the names of the files and folders in the data and reports folders, they cannot perform any other operations (no get or put aka list access only, no read, no write)

这篇关于S3存储桶的IAM组策略:拒绝文件夹但不拒绝文件的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！