我有一个名为" facontroltest"的存储桶,在IAM上使用自定义策略创建了一个用户。当我访问不是策略存储桶的存储桶时,API会执行所有操作。但我需要api上的用户只能访问该存储桶。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:ListBucketMultipartUploads"
],
"Resource": "arn:aws:s3:::facontroltest",
"Condition": {}
},
{
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectVersion",
"s3:GetObjectVersionAcl",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:PutObjectAclVersion"
],
"Resource": "arn:aws:s3:::facontroltest/*",
"Condition": {}
},
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*",
"Condition": {}
}
]
}
我的PHP代码:
$Credentials = new Credentials('key_user', 'secret_key');
$AmazonService = new S3Client([ 'version' => 'latest', 'region' => 'us-west-2', 'credentials' => $Credentials]);
$result = $AmazonService->getObject(array(
'Bucket' => 'other_bucket',
'Key' => 'file'
));
当我的政策仅允许" facontroltest"
时,为什么我可以访问其他存储桶