7

您在理解 S3 IAM 政策和指令时遇到问题吗?不能完全理解他们的文档吗?我做到了。

我有一种情况,我必须从一个特定的文件夹和几个存储桶中锁定几个 IAM 用户,除了一个之外,就我而言,他们的大多数解决方案和示例解决方案都像泥巴一样清晰。在网上搜索并没有找到我想要的东西后,我找到了一个资源(http://blogs.aws.amazon.com/security/post/Tx1P2T3LFXXCNB5/Writing-IAM-policies-Grant-access-to-user- specific-folders-in-an-Amazon-S3-bucke),这很清楚并且实际上很有帮助,但它确实需要一些修改,结果就是您在下面看到的政策......

它的作用是允许用户访问存储桶中的特定文件夹,但拒绝访问同一存储桶中的任何其他列出的文件夹。请注意,您将无法阻止他们查看文件夹的内容,也无法阻止他们看到有其他存储桶,这是无济于事的。但是,他们将无权访问您选择的存储桶/文件夹。

4

1 回答 1

8
{
 "Version":"2012-10-17",
 "Statement": [
   {
     "Sid": "AllowUserToSeeBucketListInTheConsole",
     "Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation"],
     "Effect": "Allow",
     "Resource": ["arn:aws:s3:::*"]
   },
  {
     "Sid": "AllowRootAndHomeListingOfCompanyBucket",
     "Action": ["s3:ListBucket"],
     "Effect": "Allow",
     "Resource": ["arn:aws:s3:::yourbucketname"],
     "Condition":{"StringEquals":{"s3:prefix":["","yourfoldername/"],"s3:delimiter":["/"]}}
    },
   {
     "Sid": "AllowListingOfUserFolder",
     "Action": ["s3:ListBucket"],
     "Effect": "Allow",
     "Resource": ["arn:aws:s3:::yourbucketname"],
     "Condition":{"StringLike":{"s3:prefix":["yourfoldername/*"]}}
   },
   {
     "Sid": "AllowAllS3ActionsInUserFolder",
     "Effect": "Allow",
     "Action": ["s3:GetObject"],
     "Resource": ["arn:aws:s3:::yourbucketname/yourfoldername/*"]
   },
{
      "Action": [
        "s3:*"
      ],
      "Sid": "Stmt1375581921000",
      "Resource": [
"arn:aws:s3:::yourbucketname/anotherfolder1/*",
"arn:aws:s3:::yourbucketname/anotherfolder2/*",
"arn:aws:s3:::yourbucketname/anotherfolder3/*",
"arn:aws:s3:::yourbucketname/anotherfolder4/*"
      ],
      "Effect": "Deny"
    }
 ]
}
于 2013-08-04T02:49:30.073 回答