我在mac上使用cyberduck,我试图阻止用户通过I3的IAM策略访问某些目录。我有它的工作,它将阻止用户访问他们不应该访问的文件夹命名空间,但我注意到的一件事是,用户仍然可以访问其指定文件夹上方的文件(用户所在的文件夹)允许从cyberduck中访问被称为图像)。例如:
/images/
/afile1
/afile2
/afile3
/restrictedFolder1/
/restrictedFolder2/
所以我想知道的是,如果我可以限制访问该用户文件夹之外的文件,或者如果我不能,那么我可以通过IAM隐藏这些文件(或者只是在查询中返回它们)吗? / p>
我的政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowUserToSeeBucketListInTheConsole",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::*"
]
},
{
"Sid": "AllowListingOfBrandcentralPRDBucket",
"Action": [
"s3:ListBucket",
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::mybucket"
],
"Condition": {
"StringEquals": {
"s3:prefix": [
"",
"images/"
],
"s3:delimiter": [
"/"
]
}
}
},
{
"Sid": "ListObjectsForTheImagesFolder",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::mybucket"
],
"Condition": {
"StringNotEquals": {
"s3:prefix": [
"images/initial/",
"images/REJECTED/",
"assets/"
]
}
}
},
{
"Sid": "GrantPromissionsForTheImagesFolder",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:GetObjectAcl",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::mybucket/images/*"
]
}
]
}