我正在尝试在Amazon Web Services S3中设置更复杂的S3 Access Setup。
环境包括以下内容:
Account A
- User/Role X
Account B
- User/Role Y
Account C
- User/Role Z
- Bucket 1
用户/角色X,Y和Z附加了“AdminstratorAccess”-Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
On Bucket 1是以下Bucket-Policy映射的:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AddPermGet",
"Effect": "Allow",
"Principal": {
"AWS": [ "arn:aws:iam::ACCCOUNT-B:user/someuser" ]
},
"Action": [
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::s3bucket/*"
},
{
"Sid": "AddPermGet",
"Effect": "Allow",
"Principal": {
"AWS": [ "arn:aws:iam::ACCCOUNT-A:user/someuser" ]
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::s3bucket/*"
},
{
"Sid": "AddPermList",
"Effect": "Allow",
"Principal": {
"AWS": [ "arn:aws:iam::ACCCOUNT-A:user/someuser" ]
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::s3bucket"
}
]
}
定义:
Account C is Owner of Bucket 1
我的测试:
uploading a file with user/role Z of Account C in Bucket 1 --> accessible for everyone granted in bucket policy --> User X and Z can access the file
uploading a file with user/role Y of Account B to Bucket 1 --> accessible only for user/role Y regardles of bucket policy content
uploading a file with user/role Y of Account B to Bucket 1 with "bucket-owner-full-control" (as defined in http://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl) --> accessible only for user/role Y and Z - but X gets: fatal error: An error occured (403) when calling the HeadObject operation: Forbidden. A list bucket works for all Users including X.
我想知道,帐户B的用户/角色Y上传到Bucket 1的文件与帐户C的用户/角色Z(桶的所有者)上传文件的行为相同。显然:我需要由策略定义的访问权限,而不是文件本身。是否可以启用“继承”?
干杯, 的Matthias