0

我正在尝试按角色限制用户仅访问 S3 存储桶中的特定文件夹。可以说,存储桶被配置为“模拟可挂载”,这样我们就可以将它用于文件共享,就好像它是一个更传统的服务器一样。每个用户都在使用 CloudBerry 远程访问 S3。

这是我当前的(损坏的)策略,存储桶名称是“bluebolt”。

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "AllowUserToSeeBucketListInTheConsole",
        "Effect": "Allow",
        "Action": [
            "s3:GetBucketLocation",
            "s3:ListAllMyBuckets"
        ],
        "Resource": [
            "arn:aws:s3:::*"
        ]
    },
    {
        "Sid": "AllowRootAndHomeListingOfCompanySharedAndPAndP",
        "Effect": "Allow",
        "Action": [
            "s3:ListBucket"
        ],
        "Resource": [
            "arn:aws:s3:::bluebolt"
        ],
        "Condition": {
            "StringEquals": {
                "s3:prefix": [
                    "",
                    "Production and Processing/",
                    "Production and Processing/${aws:username}",
                    "Company Shared/"
                ],
                "s3:delimiter": [
                    "/"
                ]
            }
        }
    },
    {
        "Sid": "AllowListingOfCompanyShared",
        "Effect": "Allow",
        "Action": [
            "s3:ListBucket"
        ],
        "Resource": [
            "arn:aws:s3:::bluebolt"
        ],
        "Condition": {
            "StringLike": {
                "s3:prefix": [
                    "Company Shared/*"
                ]
            }
        }
    },
    {
        "Sid": "AllowListingOfUserFolder",
        "Effect": "Allow",
        "Action": [
            "s3:ListBucket"
        ],
        "Resource": [
            "arn:aws:s3:::bluebolt"
        ],
        "Condition": {
            "StringLike": {
                "s3:prefix": [
                    "Production and Processing/${aws:username}/",
                    "Production and Processing/${aws:username}/*"
                ]
            }
        }
    },
    {
        "Sid": "AllowAllS3ActionsCompanyShared",
        "Effect": "Allow",
        "Action": [
            "s3:*"
        ],
        "Resource": [
            "arn:aws:s3:::bluebolt/Company Shared/*"
        ]
    },
    {
        "Sid": "AllowAllS3ActionsInUserFolder",
        "Effect": "Allow",
        "Action": [
            "s3:*"
        ],
        "Resource": [
            "arn:aws:s3:::bluebolt/Production and Processing/${aws:username}/*"
        ]
    },
    {
        "Sid": "DenyAllS3ActionsInManagement",
        "Effect": "Deny",
        "Action": [
            "s3:*"
        ],
        "Resource": [
            "arn:aws:s3:::bluebolt/Management/*"
        ]
    }
]

}

所以,我想做的是限制用户仅列出/读取/写入“/Production and Processing/[UserName]”中的内容,同时能够列出/读取“/Company Shared”中的所有内容,同时明确禁止对“/Management”的所有访问权限以及“/Production and Processing/*”中的所有内容,但其用户文件夹除外。理想情况下,用户只会在 bluebolt 中看到“/Company Shared”和“/Production and Processing”,一旦他们进入“/Production and Processing”,他们只会看到他们的用户名文件夹,即他们的工作区。

现在,一旦用户在 bluebolt 顶级存储桶下方挖掘,我就会得到零星的访问权限(“您无权访问”)。

我不知道这个用例是否常见,或者我是否试图将太方的钉子放入圆孔中,但欢迎并非常感谢任何反馈/提示/类似的政策应用程序/严厉的批评!

4

2 回答 2

1

联合用户的 IAM 策略变量

${aws:userName} 政策变量不适用于角色。使用 ${aws:userID} 策略变量而不是 ${aws:userName} 策略变量。

${aws:userid} 变量将是“ROLEID:caller-specified-name”。

aws:userid我对一个角色使用了相同的策略。

  1. 获取角色 ID。

    iam get-role --role-name Arsenal-role --query Role.RoleId
AROAXXT2NJT7D3SIQN7Z6

  2. 要求您的用户上传到Bucket/Prefix/<RoleID:SessionName>/

    aws s3 cp test.txt 's3://mydemo/Production and Processing/AROAXXT2NJT7D3SIQN7Z6:john/' --profile s3role
upload: ./test.txt to s3://mydemo/Production and Processing/AROAXX2NJT7D3SIQN7Z6:john/test.txt

aws s3 cp test.txt 's3://mydemo/Management/' --profile s3role
upload failed: ./test.txt to s3://mydemo/Management/test.txt An error occurred (AccessDenied) when calling the PutObject operation: Access Denied

aws s3 cp test.txt 's3://mydemo/Production and Processing/' --profile s3role
upload failed: ./test.txt to s3://mydemo/Production and Processing An error occurred (AccessDenied) when calling the PutObject operation: Access Denied
于 2018-03-16T10:21:53.487 回答
0

这是我开始工作的代码。

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "AllowListingOfUserFolder",
        "Action": [
            "s3:ListBucket"
        ],
        "Effect": "Allow",
        "Resource": [
            "arn:aws:s3:::bluebolt"
        ],
        "Condition": {
            "StringLike": {
                "s3:prefix": [
                    "*",
                    "bluebolt/Company Shared/*",
                    "bluebolt/Production and Processing/*",
                    "bluebolt/Production and Processing/${aws:userName}/*"
                ]
            }
        }
    },
    {
        "Sid": "AllowAllS3ActionsInUserFolder",
        "Action": [
            "s3:PutObject",
            "s3:GetObject",
            "s3:GetObjectVersion",
            "s3:DeleteObject"
        ],
        "Effect": "Allow",
        "Resource": [
            "arn:aws:s3:::bluebolt/Production and Processing/${aws:userName}/*"
        ]
    },
    {
        "Sid": "AllowCertainS3ActionsInCompanyShared",
        "Action": [
            "s3:GetObject",
            "s3:GetObjectVersion"
        ],
        "Effect": "Allow",
        "Resource": [
            "arn:aws:s3:::bluebolt/Company Shared/*"
        ]
    }
]

}

于 2018-03-20T00:54:50.623 回答