简化多个AWS S3策略

时间:2014-08-04 12:23:57

标签: amazon-web-services amazon-s3 amazon-iam

有没有办法以某种方式将下面给出的2个AWS IAM政策声明简化为一个?

我想在存储桶上允许ListBucket,GetBucketLocation,GetBucketPolicy,GetBucketACL操作,以及位于存储桶内的主文件夹和子文件夹1,2,3?

我有两个语句 - 一个允许对存储桶执行操作,另一个允许对主文件夹和子文件夹进行操作。由于两个语句中的动作,效果和资源是相同的,是否可以编写单个语句?

谢谢,

约翰

"Statement": [
    {
        "Effect": "Allow",
        "Sid": "AllowAccessToViewBucket",
        "Action": [
            "s3:ListBucket",
            "s3:GetBucketLocation",
            "s3:GetBucketPolicy",
            "s3:GetBucketACL"
        ],
        "Resource": "arn:aws:s3:::bucket"
    },
    {
        "Effect": "Allow",
        "Sid": "AllowAccessToListFilesInAllFolders",
        "Action": [
            "s3:ListBucket",
            "s3:GetBucketLocation",
            "s3:GetBucketPolicy",
            "s3:GetBucketACL"
        ],
        "Resource": "arn:aws:s3:::bucket",
        "Condition": {
            "StringEquals": {
                "s3:prefix": [
                    "mainfolder",
                    "mainfolder/subfolder1",
                    "mainfolder/subfolder2",
                    "mainfolder/subfolder3"
                ],
                "s3:delimiter": "/"
            }
        }
    }
]

2 个答案:

答案 0 :(得分:4)

You can use a list of resources to combine these in to a single statement, like this

"Statement": [
    {
        "Effect": "Allow",
        "Sid": "AllowAccessToViewBucket",
        "Action": [
            "s3:ListBucket",
            "s3:GetBucketLocation",
            "s3:GetBucketPolicy",
            "s3:GetBucketACL"
        ],
        "Resource": ["arn:aws:s3:::bucket",
                    "arn:aws:s3:::bucket/mainfolder",
                    "arn:aws:s3:::bucket/mainfolder/subfolder1",
                    "arn:aws:s3:::bucket/mainfolder/subfolder2",
                    "arn:aws:s3:::bucket/mainfolder/subfolder3"
        ]
    }
]

答案 1 :(得分:1)

您可以使用通配符语句进一步压缩它。

http://docs.aws.amazon.com/AmazonS3/latest/dev/using-with-s3-actions.html http://docs.aws.amazon.com/AmazonS3/latest/dev/s3-arn-format.html 

"Statement": [
    {
        "Effect": "Allow",
        "Sid": "AllowAccessToViewBucket",
        "Action": [
            "s3:ListBucket",
            "s3:GetBucketLocation",
            "s3:GetBucketPolicy",
            "s3:GetBucketACL"
        ],
        "Resource": [
            "arn:aws:s3:::bucket",
            "arn:aws:s3:::bucket/mainfolder",
            "arn:aws:s3:::bucket/mainfolder/*"
        ]
    }
]

或者如果您希望他们访问主文件夹中的所有内容

"Statement": [
    {
        "Effect": "Allow",
        "Sid": "AllowAccessToViewBucket",
        "Action": [
            "s3:ListBucket",
            "s3:GetBucketLocation",
            "s3:GetBucketPolicy",
            "s3:GetBucketACL"
        ],
        "Resource": [
            "arn:aws:s3:::bucket",
            "arn:aws:s3:::bucket/mainfolder/*"
        ]
    }
]

现在请注意

  

策略分为两部分,因为ListBucket操作需要存储桶的权限,而其他操作需要存储桶中对象的权限。我们使用两个不同的Amazon资源名称(ARN)来指定存储桶级别和对象级别权限。第一个Resource元素为ListBucket操作指定arn:aws:s3 ::: test,以便应用程序可以列出测试存储桶中的所有对象。第二个Resource元素为GetObject,PutObject和DeletObject操作指定arn:aws:s3 ::: test / *,以便应用程序可以读取,写入和删除测试存储桶中的任何对象。

https://aws.amazon.com/blogs/security/writing-iam-policies-how-to-grant-access-to-an-amazon-s3-bucket/

相关问题
最新问题