0

我试图让我的 iOS 应用程序使用从稍微修改的匿名令牌自动售货机获得的凭据上传到 S3。

我的代币自动售货机返回的政策声明是:

{"Statement":
    [
        {"Effect":"Allow",
         "Action":"s3:*",
         "Resource":"arn:aws:s3:::my-bucket-test",
         "Condition": {
            "StringLike": {
                "s3:prefix": "66-*"
            }
         }
        },
        {"Effect":"Deny","Action":"sdb:*","Resource":["arn:aws:sdb:us-east-1:MYACCOUNTIDHERE:domain/__USERS_DOMAIN__","arn:aws:sdb:us-east-1:MYACCOUNTIDHERE:domain/TokenVendingMachine_DEVICES"]},
        {"Effect":"Deny","Action":"iam:*","Resource":"*"}
    ]
}

我要放置的对象具有相同的存储桶名称和 key 66-3315F11E-84FA-417F-9C32-AC4BE364AD99.natural.mp4

据我了解,这应该可以正常工作,但不能,并且会抛出拒绝访问消息。我的政策声明有什么问题吗?

4

1 回答 1

1

您不需要使用前缀来引用对象操作上下文的资源。我还建议限制 S3 操作。这是一个推荐策略,基于S3 Personal File Store上的一篇文章中的策略。如果 ListBucket 对您的应用没有意义,请随意删除。

{"Statement":
    [
        {"Effect":"Allow",
         "Action":["s3:PutObject","s3:GetObject","s3:DeleteObject"],
         "Resource":"arn:aws:s3:::my-bucket-test/66-*",
        },
        {"Effect":"Allow",
         "Action":"s3:ListBucket",
         "Resource":"arn:aws:s3:::my-bucket-test",
         "Condition":{
              "StringLike":{
                   "s3:prefix":"66-*"
              }
         }
        },  
        {"Effect":"Deny","Action":"sdb:*","Resource":["arn:aws:sdb:us-east-1:MYACCOUNTIDHERE:domain/__USERS_DOMAIN__","arn:aws:sdb:us-east-1:MYACCOUNTIDHERE:domain/TokenVendingMachine_DEVICES"]},
        {"Effect":"Deny","Action":"iam:*","Resource":"*"}
    ]
 }
于 2013-08-15T17:18:03.857 回答