限制帐户删除S3中的文件夹,但允许对该文件夹进行读/写操作

时间:2018-09-05 07:30:00

标签: amazon-s3

我想允许用户完全访问子文件夹,但不允许他们删除子文件夹。我已经写了这个政策,但是行不通。仍然允许用户删除“入站”和“出站”文件夹。

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "AllowUserToSeeBucketListForAllowedBucket",
        "Effect": "Allow",
        "Action": [
            "s3:ListBucket",
            "s3:ListAllMyBuckets",
            "s3:HeadBucket",
            "s3:ListBucketVersions",
            "s3:GetBucketLocation"
        ],
        "Resource": "arn:aws:s3:::mybucketxxxx"
    },
    {
        "Sid": "AllowUserToListAllBuckets",
        "Effect": "Allow",
        "Action": [
            "s3:ListAllMyBuckets",
            "s3:HeadBucket"
        ],
        "Resource": "*"
    },
    {
        "Sid": "AllUserFullAccessWithinStandardFolders",
        "Effect": "Allow",
        "Action": [
            "s3:PutObject",
            "s3:GetObject",
            "s3:DeleteObject"
        ],
        "Resource": [
            "arn:aws:s3:::mybucketxxxx/marketing/inbound/*",
            "arn:aws:s3:::mybucketxxxx/marketing/outbound/*"
        ]
    },
    {
        "Sid": "DenyUserFromDeletingStandardFolders",
        "Action": [
            "s3:DeleteObject"
        ],
        "Effect": "Deny",
        "Resource": [
            "arn:aws:s3:::mybucketxxxx/marketing/inbound",
            "arn:aws:s3:::mybucketxxxx/marketing/outbound"
        ]
    }
]}

可以做我想做的事吗?

2 个答案:

答案 0 :(得分:0)

创建一个单独的IAM角色,为此角色赋予s3除删除权限之外的所有权限。

答案 1 :(得分:0)

只需将政策的最后一部分更改为:

{
    "Sid": "DenyUserFromDeletingStandardFolders",
    "Action": [
        "s3:DeleteObject"
    ],
    "Effect": "Deny",
    "Resource": [
        "arn:aws:s3:::mybucketxxxx/marketing/inbound/",
        "arn:aws:s3:::mybucketxxxx/marketing/outbound/"
    ]
}

这是因为较早的策略授予包含/*的{​​{1}},但是此策略明确拒绝了/