0

我正在为用户创建一个设置以在 S3 存储桶中上传文件。用户将通过 Cyber​​duck S3 登录以访问他们的存储桶。

这是放置文件的基本方式:

  • 存储桶/user1/fileX
  • 存储桶/user1/fileY
  • 存储桶/user2/fileX
  • 存储桶/user2/fileY

当用户浏览以上传文件时,我想防止他们看到哪些其他用户可以访问存储桶。User1 应该看​​不到 user2 文件夹。这可能吗?

当前政策:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowUserToSeeBucketListInTheConsole",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:GetBucketLocation"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::*"
            ]
        },
        {
            "Sid": "AllowRootAndHomeListingOfCompanyBucket",
            "Action": [
                "s3:ListBucket"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::bucketname"
            ],
            "Condition": {
                "StringEquals": {
                    "s3:prefix": [
                        ""
                    ]
                }
            }
        },
        {
            "Sid": "AllowListingOfUserFolder",
            "Action": [
                "s3:ListBucket"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::bucketname"
            ],
            "Condition": {
                "StringLike": {
                    "s3:prefix": [
                        "${aws:username}/*"
                    ]
                }
            }
        },
        {
            "Sid": "AllowAllS3ActionsInUserFolder",
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::bucketname/${aws:username}/*"
            ]
        }
    ]
}
4

1 回答 1

0

在我的情况下,最好的方法是删除第一个语句中列出的访问权限:

    {
        "Sid": "AllowUserToSeeBucketListInTheConsole",
        "Action": [
            "s3:ListAllMyBuckets",
            "s3:GetBucketLocation"
        ],
        "Effect": "Allow",
        "Resource": [
            "arn:aws:s3:::*"
        ]
    },
    {
        "Sid": "AllowRootAndHomeListingOfCompanyBucket",
        "Action": [
            "s3:ListBucket"
        ],
        "Effect": "Allow",
        "Resource": [
            "arn:aws:s3:::bucketname"
        ],
        "Condition": {
            "StringEquals": {
                "s3:prefix": [
                    ""
                ]
            }
        }
    },

在此之后,我让用户直接登录到他们在 Cyber​​duck 中的文件夹。为了直接访问文件夹,请创建书签而不是直接登录。书签选项有更多选项可以设置。

于 2020-03-27T16:26:16.493 回答