创建S3策略以允许完全访问一个S3子文件夹

时间:2018-06-14 12:57:15

标签: amazon-web-services amazon-s3

我正在尝试创建AWS S3策略,以允许对特定S3子文件夹的完全访问权限,但不允许其他任何内容。在下面的示例中,有一个名为Bob的开发人员。我创建了一个完全专用于Bob的目录,并希望通过登录控制台为他提供对此S3文件夹(bob文件夹)的完全读/写访问权限。

这是我尝试过的,虽然在尝试访问bob目录时,我收到了拒绝访问错误。我很欣赏有关如何实现这一目标的任何建议。 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::/mydir/devs/bob/*"
            ]
        }
    ]
}

2 个答案:

答案 0 :(得分:0)

请记住,S3对象是完整的密钥名称,因此您已授予以下权限:

/mydir/devs/bob/*

代表所有以/mydir/devs/bob/为前缀的密钥,但不包含密钥/mydir/devs/bob本身,这是您的"文件夹"。它还缺少一个存储桶名称(bucket-name/mydir/devs/bob/*)这意味着用户无法在"文件夹中使用列表操作"或者它的父文件夹。因此,Bob无法导航到他的文件夹。

在AWS博客here上有一个关于创建用户特定子文件夹的精彩演练。我们可以打破这些信息以适合您的用例,语句ID看起来像这样:

允许Bob获得所需的权限,以便在控制台中查看存储桶列表:

{
  "Sid": "AllowUserToSeeBucketListInTheConsole",
  "Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation"],
  "Effect": "Allow",
  "Resource": ["arn:aws:s3:::*"]
}

允许Bob通过允许在每个父目录上列出来导航到他的文件夹

{
  "Sid": "AllowRootAndHomeListingOfCompanyBucket",
  "Action": ["s3:ListBucket"],
  "Effect": "Allow",
  "Resource": ["arn:aws:s3:::bucket-name"],
  "Condition":{"StringEquals":{"s3:prefix":["","mydir/","mydir/devs/","mydir/devs/bob"],"s3:delimiter":["/"]}}
}

让Bob列出其文件夹中的所有文件和文件夹

{
  "Sid": "AllowListingOfUserFolder",
  "Action": ["s3:ListBucket"],
  "Effect": "Allow",
  "Resource": ["arn:aws:s3:::bucket-name"],
  "Condition":{"StringLike":{"s3:prefix":["mydir/devs/bob/*"]}}
}

最后,让Bob对其文件夹中的任何内容采取任何操作

{
   "Sid": "AllowAllS3ActionsInUserFolder",
   "Action":["s3:*"],
   "Effect":"Allow",
   "Resource": ["arn:aws:s3:::bucket-name/mydir/devs/bob/*"]
}

这结合起来像这样:

{
 "Version":"2012-10-17",
 "Statement": [
   {
     "Sid": "AllowUserToSeeBucketListInTheConsole",
     "Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation"],
     "Effect": "Allow",
     "Resource": ["arn:aws:s3:::*"]
   },
   {
     "Sid": "AllowRootAndHomeListingOfCompanyBucket",
     "Action": ["s3:ListBucket"],
     "Effect": "Allow",
     "Resource": ["arn:aws:s3:::bucket-name"],
     "Condition":{"StringEquals":{"s3:prefix":["","mydir/","mydir/devs/","mydir/devs/bob"],"s3:delimiter":["/"]}}
   },
   {
     "Sid": "AllowListingOfUserFolder",
     "Action": ["s3:ListBucket"],
     "Effect": "Allow",
     "Resource": ["arn:aws:s3:::bucket-name"],
     "Condition":{"StringLike":{"s3:prefix":["mydir/devs/bob/*"]}}
   },
   {
      "Sid": "AllowAllS3ActionsInUserFolder",
      "Action":["s3:*"],
      "Effect":"Allow",
      "Resource": ["arn:aws:s3:::bucket-name/mydir/devs/bob/*"]
   }
 ]
}

提供的文档还提供了一个很好的示例,通过在策略中使用${aws:username}变量来执行此操作,以便可以将其应用于组。

答案 1 :(得分:0)

这就是我对完全相同的需求。有些组合似乎违反直觉(为什么我同时需要ListAllBucketsListBucket - 但如果没有它,它似乎无效):

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action": [
            "s3:GetBucketLocation",
            "s3:ListAllMyBuckets"
        ],
        "Resource": [
            "arn:aws:s3:::*"
        ]
    },
    {
        "Effect": "Allow",
        "Action": [
            "s3:ListBucket"
        ],
        "Resource": [
            "arn:aws:s3:::mydir"
        ]
    },
    {
        "Effect": "Allow",
        "Action": [
            "s3:PutObject",
            "s3:GetObject",
            "s3:DeleteObject"
        ],
        "Resource": [
            "arn:aws:s3:::mydir/devs/bob/*"
        ]
    }
]
}

另外,我认为ListBucket需要一个存储桶(即您的示例中为mydir)。我认为它不适用于密钥(或文件夹),例如mydir/devs/bob

相关问题
最新问题