如何在S3 Bucket

Question

我想在s3 bukcet中限制对单个文件夹的访问。

我已经写了同样的IAM角色。但不知怎的，我没有将文件上传/同步到这个文件夹。其中bucket是存储桶名称，文件夹是我想要访问的文件夹。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowUserToSeeBucketListInTheConsole",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:GetBucketLocation"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::*"
            ]
        },
        {
            "Sid": "AllowRootAndHomeListingOfBucket",
            "Action": [
                "s3:ListBucket"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::bucket"
            ],
            "Condition": {
                "StringEquals": {
                    "s3:prefix": [
                        ""
                    ],
                    "s3:delimiter": [
                        "/"
                    ]
                }
            }
        },
        {
            "Sid": "AllowListingOfUserFolder",
            "Action": [
                "s3:ListBucket",
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:GetObject",
                "s3:GetObjectAcl",
                "s3:HeadObject"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::bucket"
            ],
            "Condition": {
                "StringLike": {
                    "s3:prefix": [
                        "folder/*"
                    ]
                }
            }
        }
    ]
}

请说明我的错误。

Answer 1

此限制性IAM策略仅授予对特定存储桶中的特定前缀的列表和上载访问权限。它还打算允许分段上传。

参考：

• https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html
• https://docs.aws.amazon.com/AmazonS3/latest/dev/mpuAndPermissions.html

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ListBucket",
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::mybucket",
            "Condition": {
                "StringLike": {
                    "s3:prefix": "my/prefix/is/this/*"
                }
            }
        },
        {
            "Sid": "UploadObject",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:AbortMultipartUpload",
                "s3:ListMultipartUploadParts"
            ],
            "Resource": [
                "arn:aws:s3:::mybucket/my/prefix/is/this/*",
            ]
        }
    ]
}

请注意，将s3:ListBucket资源紧凑地指定为"arn:aws:s3:::mybucket/my/prefix/is/this/*"无效。

Answer 2

我相信您所描述的场景AWS推荐了Bucket Policies。 AWS IAM应用于保护AWS资源（如S3本身），而Bucket策略可用于保护S3存储桶和文档。

查看此主题的AWS博客文章：

https://aws.amazon.com/blogs/security/iam-policies-and-bucket-policies-and-acls-oh-my-controlling-access-to-s3-resources/

Answer 3

由于您要求建议您错在哪里： 1 GT;在AllowListingOfUserFolder中，您已将对象用作资源，但您已使用了桶级操作和＆＃34; s3：prefix＆＃34;不适用于对象级API。

请参阅此处列出的示例政策： http://docs.aws.amazon.com/AmazonS3/latest/dev/example-policies-s3.html#iam-policy-ex1 https://aws.amazon.com/blogs/security/writing-iam-policies-grant-access-to-user-specific-folders-in-an-amazon-s3-bucket/

希望这有帮助。

Answer 4

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ListObjectsInBucket",
            "Effect": "Allow",
            "Action": ["s3:ListBucket"],
            "Resource": ["arn:aws:s3:::bucket-name"]
        },
        {
            "Sid": "AllObjectActions",
            "Effect": "Allow",
            "Action": "s3:*Object",
            "Resource": ["arn:aws:s3:::bucket-name/*"]
        }
    ]
}

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_s3_rw-bucket.html