9

我有一个 S3/AWS 账户。我有几个网站,每个网站都在 S3 上使用自己的存储桶进行读/写存储。我还在 S3 上的其他存储桶上托管了很多个人资料(备份等),这些资料是不可公开访问的。

我不希望这些网站——其中一些可能让其他人访问他们的源代码和配置属性并查看 S3 密钥——访问我的私人数据!

从阅读亚马逊的文档看来,我需要按每个存储桶的 Amazon USER划分权限,而不是按每个存储桶的访问密钥。但这行不通。似乎我只得到 2 个访问密钥。我需要一个作为主密钥的访问密钥,以及其他几个具有更多限制权限的访问密钥——仅适用于某些存储桶。

有没有办法做到这一点,或近似的?

4

3 回答 3

8

You can achieve your goal by facilitating AWS Identity and Access Management (IAM):

AWS Identity and Access Management (IAM) enables you to securely control access to AWS services and resources for your users. IAM enables you to create and manage users in AWS, and it also enables you to grant access to AWS resources for users managed outside of AWS in your corporate directory. IAM offers greater security, flexibility, and control when using AWS. [emphasis mine]

As emphasized, using IAM is strongly recommended for all things AWS anyway, i.e. ideally you should never use your main account credentials for anything but setting up IAM initially (as mentioned by Judge Mental already, you can generate as many access keys as you want like so).

You can use IAM just fine via the AWS Management Console (i.e. their is no need for 3rd party tools to use all available functionality in principle).

Generating the required policies can be a bit tricky in times, but the AWS Policy Generator is extremely helpful to get you started and explore what's available.

For the use case at hand you'll need a S3 Bucket Policy, see Using Bucket Policies in particular and Access Control for a general overview of the various available S3 access control mechanisms (which can interfere in subtle ways, see e.g. Using ACLs and Bucket Policies Together).

Good luck!

于 2012-05-24T07:56:05.453 回答
0

只需创建一个自定义 IAM 组策略来限制对特定存储桶的访问

如...

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:ListAllMyBuckets"],
      "Resource": "arn:aws:s3:::*"
    },
    {
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource":
      [
        "arn:aws:s3:::my.bucket",
        "arn:aws:s3:::my.bucket/*"
      ]
    }
  ]
}

第一个操作s3:ListAllMyBuckets允许用户列出所有存储桶。否则,当用户登录时,他们的 S3 客户端将不会在存储桶列表中显示任何内容。

第二个操作向名为“my.bucket”的存储桶的用户授予完整的 S3 权限。这意味着他们可以自由地在存储桶中创建/列出/删除存储桶资源和用户 ACL。

授予 s3:* 访问权限非常宽松。如果您想对存储桶进行更严格的控制,只需查找您要授予的相关操作并将它们添加为列表。

"Action": "s3:Lists3:GetObject, s3:PutObject, s3:DeleteObject"

我建议您将此策略创建为一个组(例如 my.bucket_User),这样您就可以将其分配给需要访问此存储桶的每个用户,而无需任何不必要的复制粘贴。

于 2014-06-24T16:41:13.943 回答
0

是的,要使用同一个 AWS 账户访问具有不同权限的不同登录账户,您可以使用 AWS IAM。作为 Bucket Explorer 的开发人员,如果您正在寻找该工具为您提供具有不同登录和不同访问权限的 gui 界面,我建议尝试 Bucket Explorer-团队版。阅读http://team20.bucketexplorer.com

于 2012-05-24T06:54:10.413 回答