我有一个S3存储桶和该存储桶的专用用户。如何仅为此专用用户限制对此特定存储桶的写访问权限,同时允许其他人从S3读取对象?
我应该为此编写一个存储桶策略吗?我对可以从控制台和存储桶策略配置的原始权限感到沮丧。这似乎是一回事。
我开始使用通过生成器制作的此类策略,但我不确定它是否正确。
{
"Id": "Policy1408967923699",
"Statement": [
{
"Sid": "Stmt1408967189392",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::bucket-name/*",
"Principal": {
"AWS": [
"*"
]
}
},
{
"Sid": "Stmt1408967224662",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::bucket-name/*",
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:user/bucket-user"
]
}
}
]
}
答案 0 :(得分:3)
我使用组权限执行此操作...您只需创建一个用户组即可。在S3的Permissions部分中,确保允许Everyone具有读访问权限。在允许用户/组r / w访问的IAM组中:
{
"Statement": [
{
"Sid": "sidgoeshere",
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:ListBucket",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::s3bucket",
"arn:aws:s3:::s3bucket/*"
]
}
]
}