我想允许用户完全访问子文件夹,但不允许他们删除子文件夹。我已经写了这个政策,但是行不通。仍然允许用户删除“入站”和“出站”文件夹。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowUserToSeeBucketListForAllowedBucket",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:ListAllMyBuckets",
"s3:HeadBucket",
"s3:ListBucketVersions",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::mybucketxxxx"
},
{
"Sid": "AllowUserToListAllBuckets",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:HeadBucket"
],
"Resource": "*"
},
{
"Sid": "AllUserFullAccessWithinStandardFolders",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::mybucketxxxx/marketing/inbound/*",
"arn:aws:s3:::mybucketxxxx/marketing/outbound/*"
]
},
{
"Sid": "DenyUserFromDeletingStandardFolders",
"Action": [
"s3:DeleteObject"
],
"Effect": "Deny",
"Resource": [
"arn:aws:s3:::mybucketxxxx/marketing/inbound",
"arn:aws:s3:::mybucketxxxx/marketing/outbound"
]
}
]}
可以做我想做的事吗?
答案 0 :(得分:0)
创建一个单独的IAM角色,为此角色赋予s3除删除权限之外的所有权限。
答案 1 :(得分:0)
只需将政策的最后一部分更改为:
{
"Sid": "DenyUserFromDeletingStandardFolders",
"Action": [
"s3:DeleteObject"
],
"Effect": "Deny",
"Resource": [
"arn:aws:s3:::mybucketxxxx/marketing/inbound/",
"arn:aws:s3:::mybucketxxxx/marketing/outbound/"
]
}
这是因为较早的策略授予包含/*的{{1}},但是此策略明确拒绝了/。