AWS S3-策略不适用于其他帐户拥有的对象

时间:2019-05-29 19:58:44

标签: amazon-web-services amazon-s3 acl policy

我有3个独立的AWS帐户:

  • 帐户1-拥有以下说明的策略的存储桶
  • 帐户2-将对象放置在存储桶中,并将每个对象的ACL设置为“ bucket-owner-full-control”
  • 帐户3-从存储桶中下载对象

我遇到的问题是,将对象上传到存储桶时,该对象归帐户2所有,导致帐户3无法下载该对象。

如果我通过帐户1上传对象,则帐户3可以按预期访问它。看来ACL会对权限产生意外影响。

我有多个帐户,它们的行为与帐户3相同,因此我想避免完全使用ACL,而只是通过策略来控制访问。

存储桶策略为:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::Account3:root"
            },
            "Action": [
                "s3:GetBucketLocation",
                "s3:ListBucket"
            ],
            "Resource": "arn:aws:s3:::my-magic-bucket"
        },
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::Account3:root"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::my-magic-bucket/*"
        },
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::Account2:root"
            },
            "Action": [
                "s3:GetBucketLocation",
                "s3:ListBucket",
                "s3:GetBucketAcl"
            ],
            "Resource": "arn:aws:s3:::my-magic-bucket"
        },
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::Account2:root"
            },
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:GetObjectAcl",
                "s3:PutObjectAcl"
            ],
            "Resource": "arn:aws:s3:::my-magic-bucket/*"
        }
    ]
}

0 个答案:

没有答案
相关问题
最新问题