0

我正在尝试将 IAM 用户的访问权限限制为仅 3 个存储桶。我正在努力在 AWS 上创建一个 IAM 策略,使 IAM 用户能够将文件同步到 AWS S3 和从 AWS S3 同步文件。我已经编写了以下策略,但是每次我运行aws sync命令将桌面上的文件夹与我的策略允许访问的存储桶同步时,终端似乎会卡住而没有输出任何响应或完成该过程。关于相同可能缺少哪些权限的任何想法?

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "VisualEditor0",
        "Effect": "Allow",
        "Action": [
            "s3:PutObject",
            "s3:GetObject",
            "s3:ListBucket",
            "s3:DeleteObject",
            "s3:GetBucketLocation"
        ],
        "Resource": [
            "arn:aws:s3:::bucket-1",
            "arn:aws:s3:::bucket-2",
            "arn:aws:s3:::bucket-3"
        ]
    }
]

}

4

2 回答 2

1

一些 S3 命令需要存储桶级别的权限,而其他 S3 命令需要对象级别的权限。

解决此问题的最简单方法是同时指定两者。

尝试这个:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:DeleteObject",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::bucket-1",
                "arn:aws:s3:::bucket-2",
                "arn:aws:s3:::bucket-3",
                "arn:aws:s3:::bucket-1/*",
                "arn:aws:s3:::bucket-2/*",
                "arn:aws:s3:::bucket-3/*"
            ]
        }
    ]
}
于 2020-08-07T03:32:34.043 回答
0

我不确定您是在尝试编写 IAM 策略还是存储桶策略?如果是后者。在任何一种情况下,您都缺少对象级权限。对于存储桶策略,您还缺少 principals

您还可以将对象或存储桶的语句分开。以下是存储桶策略的示例:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::xxxxx:user/a_user"
             },            
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::bucket-1",
                "arn:aws:s3:::bucket-2",
                "arn:aws:s3:::bucket-3"
            ]
        },
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::xxxx:user/a_user"
             },            
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::bucket-1/*",
                "arn:aws:s3:::bucket-2/*",
                "arn:aws:s3:::bucket-3/*"
            ]
        }   
    ]
}
于 2020-08-07T04:02:41.137 回答