我正在尝试设置跨帐户S3写入。 帐户B IAM用户可以在帐户A的S3存储桶中进行写入,并将对象所有权转移到帐户A。
要强制执行此操作,我引用了https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html,并找到了以下示例:
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"111",
"Effect":"Allow",
"Principal":{"AWS":"1111111111"},
"Action":"s3:PutObject",
"Resource":"arn:aws:s3:::examplebucket/*"
},
{
"Sid":"112",
"Effect":"Deny",
"Principal":{"AWS":"1111111111" },
"Action":"s3:PutObject",
"Resource":"arn:aws:s3:::examplebucket/*",
"Condition": {
"StringNotEquals": {"s3:x-amz-acl":"bucket-owner-full-control"}
}
}
]
}
我正在尝试将Condition
与Allow
进行如下添加,但是我不确定是否等于上面的内容,或者AWS示例中是否涵盖了任何边缘情况,但可能会击中我政策
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowWithBucketOwnerShip",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::examplebucket/*"
],
"Principal": {
"AWS": [
"arn:aws:iam::{account-id}:root"
]
},
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
}