我正试图让我的iOS应用程序使用从稍微修改过的匿名令牌自动售货机获取的凭据上传到S3。
我的令牌自动售货机返回的政策声明是:
{"Statement":
[
{"Effect":"Allow",
"Action":"s3:*",
"Resource":"arn:aws:s3:::my-bucket-test",
"Condition": {
"StringLike": {
"s3:prefix": "66-*"
}
}
},
{"Effect":"Deny","Action":"sdb:*","Resource":["arn:aws:sdb:us-east-1:MYACCOUNTIDHERE:domain/__USERS_DOMAIN__","arn:aws:sdb:us-east-1:MYACCOUNTIDHERE:domain/TokenVendingMachine_DEVICES"]},
{"Effect":"Deny","Action":"iam:*","Resource":"*"}
]
}
我想要放置的对象具有相同的存储桶名称和密钥66-3315F11E-84FA-417F-9C32-AC4BE364AD99.natural.mp4。
据我所知,这应该可以正常工作,但它没有,并抛出拒绝访问的消息。我的政策声明有什么问题吗?
答案 0 :(得分:1)
您无需使用前缀来引用Object操作上下文的资源。我还建议限制S3操作。以下是推荐政策,基于S3 Personal File Store上的文章中的政策。如果对你的应用程序没有意义,请随意删除ListBucket。
{"Statement":
[
{"Effect":"Allow",
"Action":["s3:PutObject","s3:GetObject","s3:DeleteObject"],
"Resource":"arn:aws:s3:::my-bucket-test/66-*",
},
{"Effect":"Allow",
"Action":"s3:ListBucket",
"Resource":"arn:aws:s3:::my-bucket-test",
"Condition":{
"StringLike":{
"s3:prefix":"66-*"
}
}
},
{"Effect":"Deny","Action":"sdb:*","Resource":["arn:aws:sdb:us-east-1:MYACCOUNTIDHERE:domain/__USERS_DOMAIN__","arn:aws:sdb:us-east-1:MYACCOUNTIDHERE:domain/TokenVendingMachine_DEVICES"]},
{"Effect":"Deny","Action":"iam:*","Resource":"*"}
]
}