在AWS中，S3和IAM权限是否不同? [英] In AWS, are S3 and IAM permissions different?

问题描述

在AWS中创建S3存储桶后-我想了解应如何提供对S3存储桶的读写访问权限?

After creating an S3 bucket in AWS - I want to find out how permissions for Read and Write access to the S3 bucket should be provided?

我认为IAM用户权限和S3存储桶权限不同.我的意思是-可以通过将仅对AWS无权限的IAM用户添加到S3存储桶的权限来授予对S3存储桶的访问权限.而且S3权限与IAM权限无关>

I am thinking that IAM user permissions and S3 bucket permissions are different. What I am mean is - an IAM user with no permissions on AWS can be granted access to the S3 bucket by just adding him to the S3 buckets permissions for read or read+write accordingly. And S3 permissions have got nothing to do with IAM permissions>

以上理解正确吗?如果以上错误，请更正并详细说明?

Is the above understanding correct? Please correct and elaborate if the above is wrong?

推荐答案

S3权限与IAM权限无关

And S3 permissions have got nothing to do with IAM permissions

情况并非如此.存储桶及其对象的有效许可是基于IAM身份的许可(即，附加到IAM用户，角色，组的那些许可)加上存储桶策略以及其他许可的联合(SCP，IAM边界)，为简单起见，我没有提及.

This is not the case. The effective permission for the bucket and its objects are union of the IAM identity based permissions (i.e. those attached to IAM user,role, group) plus bucket policies plus other permissions (SCPs, IAM boundaries), which I don't mention for simplicity.

默认情况下，存储桶和对象是私有的.您可以使用IAM策略，存储桶策略或同时使用两者来允许访问它们.有效权限将是所有这些单独权限的并集.这意味着您可以使用存储桶策略向同一IAM用户授予对 object1 的访问权限，并且可以使用IAM策略向同一个IAM用户授予对 object2 的访问权限.该用户将可以访问两个对象.

By default bucket and objects are private. You can Allow access to them using either IAM policies, bucket policies or both. Effective permissions will be the union of all these individual permissions. This means that you can use bucket policy to grant access to object1 and IAM policy to grant access to object2 to the same IAM user. The said user will be able to access both objects.

当有 Deny 时，此行为会发生变化，因为拒绝总是获胜.因此，IAM用户可以在IAM策略中对给定存储桶具有 Allow ，但是该存储桶可以对该用户具有 Deny .结果将始终是 Deny .

This behavior changes when there is Deny, as deny always wins. So an IAM user can have Allow in IAM policies to a given bucket, but the bucket can have Deny for that user. The result will be Deny always.

因此，所有这些都意味着应将存储桶策略和IAM权限一起考虑并相互连接.因此，您不能说"S3权限与IAM权限无关".

Subsequently, all these mean that bucket polices and IAM permissions should be considered together and are inter-connected with each other. Thus, you can't say that "S3 permissions have got nothing to do with IAM permissions".

这篇关于在AWS中，S3和IAM权限是否不同?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！