交叉帐户S3具有存储桶所有权的写入

时间:2018-09-13 09:24:38

标签: amazon-web-services amazon-s3

我正在尝试设置跨帐户S3写入。 帐户B IAM用户可以在帐户A的S3存储桶中进行写入,并将对象所有权转移到帐户A。

要强制执行此操作,我引用了https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html,并找到了以下示例:

{
   "Version":"2012-10-17",
   "Statement":[
     {
       "Sid":"111",
       "Effect":"Allow",
       "Principal":{"AWS":"1111111111"},
       "Action":"s3:PutObject",
       "Resource":"arn:aws:s3:::examplebucket/*"
     },
     {
       "Sid":"112",
       "Effect":"Deny",
       "Principal":{"AWS":"1111111111" },
       "Action":"s3:PutObject",
       "Resource":"arn:aws:s3:::examplebucket/*",
       "Condition": {
         "StringNotEquals": {"s3:x-amz-acl":"bucket-owner-full-control"}
       }
     }
   ]
}

我正在尝试将ConditionAllow进行如下添加,但是我不确定是否等于上面的内容,或者AWS示例中是否涵盖了任何边缘情况,但可能会击中我政策

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowWithBucketOwnerShip",
      "Action": [
        "s3:PutObject",
        "s3:PutObjectAcl"
      ],
      "Effect": "Allow",
      "Resource": [
          "arn:aws:s3:::examplebucket/*"
      ],
      "Principal": {
        "AWS": [
          "arn:aws:iam::{account-id}:root"
        ]
      },
      "Condition": {
        "StringEquals": {
          "s3:x-amz-acl": "bucket-owner-full-control"
        }
      }
    }
}

0 个答案:

没有答案