IAM AWS S3限于特定的子文件夹 [英] IAM AWS S3 to restrict to a specific sub-folder

问题描述

我正在使用AWS S3组件存储文件.

I'm using AWS S3 component to store files.

我有一个名为" mybucket "的存储桶，其中包含以下文件夹:

I have a bucket called "mybucket" and with the following folders :

+---Mybucket
\---toto1
\---toto2
+---toto3
|   \--- subfolder
|       \---subsubfolder
\---toto4

我有AWS控制台用户，只需要访问"toto3"文件夹.

I have AWS console users that need only need to access "toto3" folder.

我试图限制对此文件夹的访问，但是用户必须有权列出存储桶的根目录.如果我赋予访问根文件夹更多的权限，则用户可以浏览"toto1"和"toto2"文件夹，而我则不需要.

I tried to restrict the access to this folder, but the user must have the right to list the root of bucket. If I put additional rights to acces the root folder, users can browser "toto1" and "toto2" folders and I don't want.

我想配置类似的东西:

• 授权列出我的S3帐户的所有存储桶(listAllBuckets策略)
• 自动列出存储桶的根目录(如果用户看到目录名称，这对我来说是可以的)
• 拒绝所有与"toto3"不同的前缀存储区的访问权限
• 自动执行toto3文件夹中用户的所有操作
• 我不想写一个包容性的规则

我尝试了此IAM策略，但没有成功:

I tried this IAM policy without any success :

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:PutObject",
                "s3:GetObject"
            ],
            "Resource": ["arn:aws:s3:::mybucket/toto3/*"]
        },
        {
            "Sid": "Stmt1457617383000",
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketLocation",
                "s3:ListBucket"
            ],
            "Resource": ["arn:aws:s3:::mybucket"]
        },
        {
            "Sid": "Stmt1457617230000",
            "Effect": "Deny",
            "Action": ["s3:*"],
            "Condition": {
                "StringNotLike": {
                    "s3:prefix": "toto3*"
                }
            },
            "Resource": [
                "arn:aws:s3:::mybucket/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

推荐答案

以下适用于您的政策:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::mybucket/toto3/*"
            ]
        },
        {
            "Sid": "Stmt1457617230000",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Condition": {
                "StringLike": {
                    "s3:prefix": [
                        "",
                        "toto3/"
                    ]
                }
            },
            "Resource": [
                "arn:aws:s3:::mybucket*"
            ]
        }
    ]
}

详细信息:

控制台需要
• ListAllMyBuckets.它显示了所有存储桶的列表.
• toto3/路径内允许的任何操作.
存储区的根目录和toto3/路径中允许使用
• ListBucket(检索对象列表).

• ListAllMyBuckets is required by the Console. It shows a list of all buckets.
• Any action permitted within the toto3/ path.
• ListBucket (retrieve objects list) permitted in the root of the bucket and in the toto3/ path.

我成功测试了此解决方案.

I successfully tested this solution.

AWS文档参考:

这篇关于IAM AWS S3限于特定的子文件夹的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！