Question

当您与团队合作时，您可能希望将对单个S3存储桶的访问权限限制为特定用户。我怎样才能做到这一点？

以下代码无效。用户仍具有完全权限。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::Privatebacket",
                "arn:aws:s3:::Privatebacket/*"
            ]
        }
    ]
}

Answer 1

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                        "s3:GetBucketLocation",
                        "s3:ListAllMyBuckets"
                      ],
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::YOUR-BUCKET",
                "arn:aws:s3:::YOUR-BUCKET/*"
            ]
        }
    ]
}

https://www.serverkaka.com/2018/05/grant-access-to-only-one-s3-bucket-to-aws-user.html

Answer 2

尝试下面提到的链接。您可以使用IAM策略授予用户特定的文件夹权限。

https://aws.amazon.com/blogs/security/writing-iam-policies-grant-access-to-user-specific-folders-in-an-amazon-s3-bucket/

Answer 3

您可以为该IAM用户添加内联策略。你可以设置拒绝＆＃39;该特定s3存储桶的策略。

政策文件：

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "Stmt1497522841000",
        "Effect": "Deny",
        "Action": [
            "s3:*"
        ],
        "Resource": [
            "arn:aws:s3:::mjzone-private"
        ]
    }
]
}

使用Amazon IAM限制用户访问Single S3 Bucket？

3 个答案: