为什么我的IAM策略被拒绝访问?

时间:2014-07-29 21:17:29

标签: amazon-web-services amazon-s3 policy amazon-iam

I'm following this tutorial to a tee on how to grant single user access to a bucket.

我的政策与他们的政策完全相同:

{
  "Version":"2012-10-17",
  "Statement": [
    {
      "Sid": "AllowGroupToSeeBucketListInTheConsole",
      "Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation"],
      "Effect": "Allow",
      "Resource": ["arn:aws:s3:::*"]
    },
    {
      "Sid": "AllowRootAndHomeListingOfCompanyBucket",
      "Action": ["s3:ListBucket"],
      "Effect": "Allow",
      "Resource": ["arn:aws:s3:::my-company"],
      "Condition":{"StringEquals":{"s3:prefix":["","/"],"s3:delimiter":["/"]}}
    },
    {
      "Sid": "AllowListingOfUserFolder",
      "Action": ["s3:ListBucket"],
      "Effect": "Allow",
      "Resource": ["arn:aws:s3:::my-company"],
      "Condition":{"StringLike":{"s3:prefix":["home/${aws:username}/*"]}}
    },
    {
       "Sid": "AllowAllS3ActionsInUserFolder",
       "Action":["s3:*"],
       "Effect":"Allow",
       "Resource": ["arn:aws:s3:::my-company/home/${aws:username}/*"]
    }
  ]
}

我的用户名为bob,其政策已正确保存到他的IAM帐户中。

我可以登录该帐户,并以bob为用户查看我所有可用的存储分区。但是,如果我尝试访问广告管理系统my-company,我会获得Site says : Access Denied

我在这里缺少什么?

1 个答案:

答案 0 :(得分:0)

这是由于某些第三方S3客户端发出ListBucket请求以列出存储桶根,而根本没有提供“前缀”。这会导致“拒绝访问”,因为this blog post中的策略要求“前缀”为“”,“home /”或用户主目录,而不是完全缺席。

如果遇到此类问题,请添加以下块以授权此请求。

修复:

{
      "Sid": "AllowRootListingWithoutPrefix",
      "Action": [
        "s3:ListBucket"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::my-company"
      ],
      "Condition": {
        "Null": {
          "s3:prefix": "true"
        },
        "StringEquals": {
          "s3:delimiter": [
            "/"
          ]
        }
      }
    }