IAM AWS S3限于特定的子文件夹 [英] IAM AWS S3 to restrict to a specific sub-folder
问题描述
我正在使用AWS S3组件存储文件.
I'm using AWS S3 component to store files.
我有一个名为" mybucket "的存储桶,其中包含以下文件夹:
I have a bucket called "mybucket" and with the following folders :
+---Mybucket
\---toto1
\---toto2
+---toto3
| \--- subfolder
| \---subsubfolder
\---toto4
我有AWS控制台用户,只需要访问"toto3"文件夹.
I have AWS console users that need only need to access "toto3" folder.
我试图限制对此文件夹的访问,但是用户必须有权列出存储桶的根目录.如果我赋予访问根文件夹更多的权限,则用户可以浏览"toto1"和"toto2"文件夹,而我则不需要.
I tried to restrict the access to this folder, but the user must have the right to list the root of bucket. If I put additional rights to acces the root folder, users can browser "toto1" and "toto2" folders and I don't want.
我想配置类似的东西:
- 授权列出我的S3帐户的所有存储桶(listAllBuckets策略)
- 自动列出存储桶的根目录(如果用户看到目录名称,这对我来说是可以的)
- 拒绝所有与"toto3"不同的前缀存储区的访问权限
- 自动执行toto3文件夹中用户的所有操作
- 我不想写一个包容性的规则
我尝试了此IAM策略,但没有成功:
I tried this IAM policy without any success :
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:PutObject",
"s3:GetObject"
],
"Resource": ["arn:aws:s3:::mybucket/toto3/*"]
},
{
"Sid": "Stmt1457617383000",
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket"
],
"Resource": ["arn:aws:s3:::mybucket"]
},
{
"Sid": "Stmt1457617230000",
"Effect": "Deny",
"Action": ["s3:*"],
"Condition": {
"StringNotLike": {
"s3:prefix": "toto3*"
}
},
"Resource": [
"arn:aws:s3:::mybucket/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": [
"*"
]
}
]
}
推荐答案
以下适用于您的政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::mybucket/toto3/*"
]
},
{
"Sid": "Stmt1457617230000",
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"",
"toto3/"
]
}
},
"Resource": [
"arn:aws:s3:::mybucket*"
]
}
]
}
详细信息:
-
控制台需要
-
ListAllMyBuckets
.它显示了所有存储桶的列表. -
toto3/
路径内允许的任何操作.
存储区的根目录和 -
ListBucket
(检索对象列表).
toto3/
路径中允许使用ListAllMyBuckets
is required by the Console. It shows a list of all buckets.- Any action permitted within the
toto3/
path. ListBucket
(retrieve objects list) permitted in the root of the bucket and in thetoto3/
path.
我成功测试了此解决方案.
I successfully tested this solution.
这篇关于IAM AWS S3限于特定的子文件夹的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!