AWS:在S3存储桶中将IAM用户限制为特定文件夹

时间:2014-08-29 00:30:18

标签: amazon-web-services amazon-s3 amazon-iam

所以我一直在尝试定义一个策略,将一组IAM用户限制在S3存储桶中的特定文件夹,但没有成功。我已经对这篇博客文章中概述的政策不以为然。 http://blogs.aws.amazon.com/security/post/Tx1P2T3LFXXCNB5/Writing-IAM-policies-Grant-access-to-user-specific-folders-in-an-Amazon-S3-bucke

具体来说,我正在使用以下内容:

{
 "Version":"2012-10-17",
 "Statement": [
   {
     "Sid": "AllowUserToSeeBucketListInTheConsole",
     "Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation"],
     "Effect": "Allow",
     "Resource": ["arn:aws:s3:::*"]
   },
  {
     "Sid": "AllowRootAndHomeListingOfCompanyBucket",
     "Action": ["s3:ListBucket"],
     "Effect": "Allow",
     "Resource": ["arn:aws:s3:::mybucket"],
     "Condition":{"StringEquals":{"s3:delimiter":["/"]}}
    },
   {
     "Sid": "AllowListingOfUserFolder",
     "Action": ["s3:ListBucket"],
     "Effect": "Allow",
     "Resource": ["arn:aws:s3:::mybucket"],
     "Condition":{"StringLike":{"s3:prefix":["myfolder"]}}
   },
   {
     "Sid": "AllowAllS3ActionsInUserFolder",
     "Effect": "Allow",
     "Action": ["s3:*"],
     "Resource": ["arn:aws:s3:::mybucket/myfolder/*"]
   }
 ]
}

不幸的是,由于某种原因,此策略允许用户不仅导航到指定的文件夹,还导航到同一存储桶中的其他文件夹。如何以只能导航到指定文件夹的方式限制用户?

2 个答案:

答案 0 :(得分:0)

我希望这份文档可以帮助您,这些步骤已经细分,并且很容易理解:

http://docs.aws.amazon.com/AmazonS3/latest/dev/walkthrough1.html

您也可以使用政策变量。

它允许您在策略中指定占位符。评估策略时,策略变量将替换为来自请求本身的值。 例如 - ${aws:username}:


您还可以查看此Stackoverflow问题(如果看起来相关):

Preventing a user from even knowing about other users (folders) on AWS S3

答案 1 :(得分:-3)

我之前已经回答了这个问题,但我会从这里再次回答。创建用户然后将其添加到组中然后将组r / w分配给存储桶是最好的。这是编写策略的典型示例

{
  "Statement": [
    {
      "Sid": "sidgoeshere",
      "Action": [
        "s3:DeleteObject",
        "s3:GetObject",
        "s3:GetObjectAcl",
        "s3:ListBucket",
        "s3:PutObject"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::s3bucket",
        "arn:aws:s3:::s3bucket/*"
      ]
    }
  ]
}
相关问题
最新问题