2

手机可以使用以下存储桶策略将其内容正确上传到 IAM 用户下的我们的 s3 存储桶

{
    "Version": "2008-10-17",
    "Id": "redacted",
    "Statement": [
        {
            "Sid": "redacted",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::redacted:user/iam_user"
            },
            "Action": "s3:ListBucketMultipartUploads",
            "Resource": "arn:aws:s3:::bucket_name"
        },
        {
            "Sid": "redacted",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::202695660434:user/iam_user"
            },
            "Action": [
                "s3:AbortMultipartUpload",
                "s3:GetObject",
                "s3:ListMultipartUploadParts",
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::bucket_name/uploads/*"
        }
    ]
}

我想遵循最佳实践并允许联合用户从移动设备上传到此存储桶。我将如何调整政策?我目前可以创建联合用户凭据,但无法正确上传。此政策未能保存

{
    "Version": "2008-10-17",
    "Id": "redacted",
    "Statement": [
        {
            "Action": [
                "sts:GetFederationToken"
            ],
            "Sid": "redacted",
            "Resource": [
                "*"
            ],
            "Effect": "Allow"
        },
        {
            "Sid": "redacted",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::redacted:user/iam_user"
            },
            "Action": "s3:ListBucketMultipartUploads",
            "Resource": "arn:aws:s3:::bucket_name"
        },
        {
            "Sid": "redacted",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::202695660434:user/iam_user"
            },
            "Action": [
                "s3:AbortMultipartUpload",
                "s3:GetObject",
                "s3:ListMultipartUploadParts",
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::bucket_name/uploads/*"
        }
    ]
}
4

1 回答 1

0

我也有同样的情况;我需要一些用户在特定存储桶中上传文件,而一些用户需要从某些存储桶下载数据;

我计划有一个 lambda 函数,它将代表用户请求访问以从特定存储桶读取/写入并在本地向它们提供文件。我不确定这是否是最佳实践之一;

我将提供有关如何调用 lambda 函数的安全性。

于 2017-07-07T14:38:09.207 回答