AWS IAM权限在ONE S3桶GetObjects不工作 [英] AWS IAM Permissions for GetObjects in ONE S3 Bucket not working

问题描述

我试图写权限的用户只能够访问的对象在一个具体的桶。

I am trying to write a permission for a user to just be able to access the objects in ONE specific bucket.

我目前有：

{
  "Version": "2012-10-17",
  "Statement":[{
    "Effect": "Allow",
    "Action": "s3:GetObject",
    "Resource": ["arn:aws:s3:::test",
                 "arn:aws:s3:::test/*"]
    }
  ]
}

但用户仍可以访问所有的我的另一桶。请注意，我的另一桶没有政策...我不认为它应该的问题。我只是想该用户的IAM被允许特定桶。

but the user can still access ALL my other buckets. Note that my other buckets don't have policy... I don't think it should matter. I just want that user's IAM to be allowed to that specific bucket.

推荐答案

Amazon S3的是一个由于提供三种不同的权限机制，都可以同时应用中最复杂的服务，如见<一href="http://blogs.aws.amazon.com/security/post/TxPOJBY6FE360K/IAM-policies-and-Bucket-Policies-and-ACLs-Oh-My-Controlling-Access-to-S3-Resourc"相对=nofollow> IAM策略和桶政策和ACL！天啊！ （控制访问S3参考资料）为标的物的一个很好的书面记录，特别是部分的如何与多址接入控制机制，授权工作的：

Amazon S3 is one of the most complex services due to offering three different permission mechanisms, which can all applied simultaneously, see e.g. IAM policies and Bucket Policies and ACLs! Oh My! (Controlling Access to S3 Resources) for a nice writeup of the subject matter, in particular, section How does authorization work with multiple access control mechanisms?:

每当AWS主体发出请求，S3，授权决定取决于所有的IAM策略，S3斗政策和S3的ACL适用

Whenever an AWS principal issues a request to S3, the authorization decision depends on the union of all the IAM policies, S3 bucket policies, and S3 ACLs that apply.

的行为，你的经验表明一些错误配置的地方，也就是说，你可能会允许访问桶的水平，你可能不知道的 - 有关的亚马逊IAM单独中的<一个href="http://docs.aws.amazon.com/IAM/latest/UsingPolicySimulatorGuide/iam-policy-simulator-guide.html"相对=nofollow> IAM策略模拟器是一个很好的工具来调试这种情况下，我强烈建议有先验证配置。

The behavior you experience indicates some misconfiguration somewhere, i.e. you likely allow access to the bucket at a level you might not be aware of - concerning Amazon IAM alone, the IAM Policy Simulator is an excellent tool to debug such situations and I highly suggest to verify your configuration there first.

然而，尽管这是足以满足大多数的服务，它不包括对于S3中的另外两个许可机制如上概述，但至少会隔离分析已经

However, while this is sufficient for most services, it doesn't cover the other two permission mechanisms for S3 as outlined above, but would at least isolate the analysis already.

这篇关于AWS IAM权限在ONE S3桶GetObjects不工作的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！