我在mac上使用cyberduck,我试图阻止用户通过s3的IAM策略访问某些目录。我让它工作到它会阻止用户访问他们不应该访问的文件夹命名空间的地步,但我注意到的一件事是用户仍然可以访问其指定文件夹之上级别的文件(用户所在的文件夹在cyberduck 中允许访问称为图像)。例子:
/images/
/afile1
/afile2
/afile3
/restrictedFolder1/
/restrictedFolder2/
所以我想知道的是,如果我可以限制对该用户文件夹之外的文件的访问,或者如果我不能,那么我可以通过 IAM 隐藏这些文件(或者在查询中不返回它们)吗?
我的政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowUserToSeeBucketListInTheConsole",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::*"
]
},
{
"Sid": "AllowListingOfBrandcentralPRDBucket",
"Action": [
"s3:ListBucket",
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::mybucket"
],
"Condition": {
"StringEquals": {
"s3:prefix": [
"",
"images/"
],
"s3:delimiter": [
"/"
]
}
}
},
{
"Sid": "ListObjectsForTheImagesFolder",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::mybucket"
],
"Condition": {
"StringNotEquals": {
"s3:prefix": [
"images/initial/",
"images/REJECTED/",
"assets/"
]
}
}
},
{
"Sid": "GrantPromissionsForTheImagesFolder",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:GetObjectAcl",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::mybucket/images/*"
]
}
]
}