这是我在Amazon S3中编写的策略。我认为它应该允许访问子文件夹,因为*但是当用户尝试创建或查看子文件夹时它会给出访问被拒绝的错误。如何更改此功能?
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowUserToSeeBucketListInTheConsole",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::*"
]
},
{
"Sid": "AllowRootAndMediaListingOfCompanyBucket",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::mycoolbucket"
],
"Condition": {
"StringEquals": {
"s3:prefix": [
"",
"media/"
],
"s3:delimiter": [
"/"
]
}
}
},
{
"Sid": "AllowAllS3ActionsInMediaFolder",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::mycoolbucket/media/*"
]
}
]
}
更多详情:
我以用户身份登录控制台。我去了媒体文件夹。然后,我单击媒体内的文件夹,并收到消息“错误访问被拒绝”。
答案 0 :(得分:3)
您缺少列出媒体文件夹内容的权限。将以下语句添加到您的策略中。
注意:您的策略应该添加到用户而不是存储桶本身。更好的选择是创建一个IAM组,将策略附加到该组,然后将每个用户添加到该组(您提到的正在进行的操作)。
{
"Sid": "AllowListingOfMediaFolder",
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::mycoolbucket"],
"Condition":{"StringLike":{"s3:prefix":["media/*"]}}
},
答案 1 :(得分:1)
使用此策略,我可以授予对Amazon S3中文件夹的所有子文件夹的访问权限
{ “ Version”:“ 2012-10-17”, “声明”:[ { “ Sid”:“”, “效果”:“允许”, “ Action”:“ s3:ListBucket”, “ Resource”:“ arn:aws:s3 ::: <>”, “健康)状况”: { “ StringLike”:{ “ s3:prefix”:“文件夹名称/ ” } } }, { “ Sid”:“”, “效果”:“允许”, “动作”:[ “ s3:GetObject ”, “ s3:PutObject *”, “ s3:ListBucket”, “ s3:DeleteObject *” ], “资源”:“ arn:aws:s3 ::: <> / foldername / *” } ] }