我的AWS账户中有很多S3存储桶。但是现在我创建了一个IAM用户和一个新的S3存储桶,我想让这个用户能够使用像CyberDuck这样的客户端访问新的S3存储桶。
我试图制作这么多政策。但在此之后,该用户也获得了列出我所有其他存储桶的权限。如何授予对单个S3存储桶的列表和写入权限的访问权限?
答案 0 :(得分:4)
首先,您创建一个允许访问单个S3存储桶的策略(IAM - >策略 - >创建策略)。您可以使用AWS Policy Generator(http://awspolicygen.s3.amazonaws.com/policygen.html),它应如下所示:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1528735049406",
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:HeadBucket",
"s3:ListBucket",
"s3:ListObjects",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::YOURBUCKETNAME"
}
]
}
保存政策并记下您给它的名称,然后转到IAM - >用户并选择所需的用户。在权限标签中,点击“添加权限”,然后选择“直接附加现有政策”'靠近顶部。按名称查找您的政策,勾选其复选框并完成整个过程。
答案 1 :(得分:2)
他们需要能够至少列出所有桶。但除此之外,这也提供了一个示例政策,我昨晚刚用我自己的帐户,所以我可以确认它有效。
<强>更新 好的,我已经使用CyberDuck测试并确认以下策略(当然是根据您的环境定制)将阻止用户查看所有根存储桶,并且只允许他们访问您指定的存储桶:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAllInBucket",
"Action": [
"s3:*"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::bucket-for-single-user"
}
]
}
请确保在CyberDuck中指定路径时,将其输入为:bucket-for-single-user.s3.amazonaws.com。
此外,仅限START 不受限制,只是为了确保它适合您(因为访问似乎是一个问题)。在那之后,应用限制,你知道......最少的特权和所有。
答案 2 :(得分:1)
根据Cyberduck Help / Howto / Amazon S3,它支持直接输入存储桶名称,例如<bucketname>.s3.amazonaws.com。如果您使用的客户端可以做到这一点,则不需要s3:ListAllMyBuckets权限。
操作应该按照可以解析的资源进行分组 (操作中的条件也可能有所不同)。
此IAM策略将允许完全控制所有内容(存储桶中的 ) 无需控制S3存储桶子资源(存储桶的 ):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "BucketOperations",
"Effect": "Allow",
"Action": "s3:ListBucket*",
"Resource": "arn:aws:s3:::<bucketname>"
},
{
"Sid": "ObjectOperations",
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:ListMultipartUploads",
"s3:DeleteObject*",
"s3:GetObject*",
"s3:PutObject*"
],
"Resource": "arn:aws:s3:::<bucketname>/*"
},
{
"Sid": "DenyAllOthers",
"Effect": "Deny",
"Action": "s3:*",
"NotResource": [
"arn:aws:s3:::<bucketname>",
"arn:aws:s3:::<bucketname>/*"
]
}
]
}
如果您不是专门尝试将IAM用户锁定在每个用户之外
可能的公共S3存储桶,您可以关闭“ DenyAllOthers” Sid,
而不向用户授予其他权限。
仅供参考,AWS ReadOnlyAccess策略自动将s3:*授予
它附有的任何东西。我推荐ViewOnlyAccess(它将
不幸的是,在没有s3:ListAllMyBuckets的情况下授予了DenyAllOthers。
答案 3 :(得分:0)
制定我自己的政策并为我工作。 IAM用户可以只列出所有存储桶。但是不能在另一个桶上做任何事情。用户只能通过读取,写入,删除文件权限来访问特定存储桶。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "<EXAMPLE_SID>",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::<MYBUCKET>"
},
{
"Sid": "<EXAMPLE_SID>",
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*"
}, {
"Sid": "<EXAMPLE_SID>",
"Effect": "Deny",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::<MYotherBUCKET>"
}, {
"Sid": "<EXAMPLE_SID>",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::<MYBUCKET>/*"
}
]
}
然后将此政策也添加到此用户。此策略将所有类型的操作限制为列出的其他s3存储桶。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "<EXAMPLE_SID>",
"Effect": "Deny",
"Action": [
"s3:PutAnalyticsConfiguration",
"s3:GetObjectVersionTagging",
"s3:CreateBucket",
"s3:ReplicateObject",
"s3:GetObjectAcl",
"s3:DeleteBucketWebsite",
"s3:PutLifecycleConfiguration",
"s3:GetObjectVersionAcl",
"s3:PutBucketAcl",
"s3:PutObjectTagging",
"s3:DeleteObject",
"s3:GetIpConfiguration",
"s3:DeleteObjectTagging",
"s3:GetBucketWebsite",
"s3:PutReplicationConfiguration",
"s3:DeleteObjectVersionTagging",
"s3:GetBucketNotification",
"s3:PutBucketCORS",
"s3:DeleteBucketPolicy",
"s3:GetReplicationConfiguration",
"s3:ListMultipartUploadParts",
"s3:PutObject",
"s3:GetObject",
"s3:PutBucketNotification",
"s3:PutBucketLogging",
"s3:PutObjectVersionAcl",
"s3:GetAnalyticsConfiguration",
"s3:GetObjectVersionForReplication",
"s3:GetLifecycleConfiguration",
"s3:ListBucketByTags",
"s3:GetInventoryConfiguration",
"s3:GetBucketTagging",
"s3:PutAccelerateConfiguration",
"s3:DeleteObjectVersion",
"s3:GetBucketLogging",
"s3:ListBucketVersions",
"s3:ReplicateTags",
"s3:RestoreObject",
"s3:GetAccelerateConfiguration",
"s3:GetBucketPolicy",
"s3:PutEncryptionConfiguration",
"s3:GetEncryptionConfiguration",
"s3:GetObjectVersionTorrent",
"s3:AbortMultipartUpload",
"s3:PutBucketTagging",
"s3:GetBucketRequestPayment",
"s3:GetObjectTagging",
"s3:GetMetricsConfiguration",
"s3:DeleteBucket",
"s3:PutBucketVersioning",
"s3:PutObjectAcl",
"s3:ListBucketMultipartUploads",
"s3:PutMetricsConfiguration",
"s3:PutObjectVersionTagging",
"s3:GetBucketVersioning",
"s3:GetBucketAcl",
"s3:PutInventoryConfiguration",
"s3:PutIpConfiguration",
"s3:GetObjectTorrent",
"s3:ObjectOwnerOverrideToBucketOwner",
"s3:PutBucketWebsite",
"s3:PutBucketRequestPayment",
"s3:GetBucketCORS",
"s3:PutBucketPolicy",
"s3:GetBucketLocation",
"s3:ReplicateDelete",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::<MYotherBUCKET>/*",
"arn:aws:s3:::<MYotherBUCKET>"
]
}
]
}
答案 4 :(得分:0)
您需要在IAM用户下创建内联策略,以允许权限仅访问所需的S3存储桶。 找到示例策略,
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::example-bucket",
"arn:aws:s3:::example-bucket/*"
]
},
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*"
}
]
}
要了解有关此的更多详细信息,请找到此article。
答案 5 :(得分:0)
我最近能够使用Amazon的documentation来使它正常工作。对我来说,关键是将IAM用户指向特定的存储桶,而不是S3控制台。根据文档“警告:更改这些权限后,用户在访问Amazon S3主控制台时会遇到拒绝访问错误。主控制台链接类似于以下内容:
https://s3.console.aws.amazon.com/s3/home
相反,用户必须使用指向存储桶的直接控制台链接来访问存储桶,类似于以下内容:
https://s3.console.aws.amazon.com/s3/buckets/awsexamplebucket/“
我的政策如下:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1589486662000",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::AWSEXAMPLEBUCKET",
"arn:aws:s3:::AWSEXAMPLEBUCKET/*"
]
}
]
}