Coudfront OAI集拥有但允许其他AWS帐户上传s3对象的S3的存储桶策略应该是什么?

时间:2019-10-04 02:39:14

标签: amazon-s3 amazon-cloudfront

我有S3,该S3限制了提供私人内容的政策。只有Cloudfront Origin Access Identity可以访问。但是,应该允许其他帐户上载新对象,以便客户端可以获取新资产。对于这种情况应制定什么样的政策?

目前我的政策是这样

          {
                "Sid": "1",
                "Effect": "Allow",
                "Principal": {
                    "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity SomeID12334"
                },
                "Action": "s3:GetObject",
                "Resource": "arn:aws:s3:::my-bucket/*"
            }

1 个答案:

答案 0 :(得分:0)

您可以在存储桶策略中添加多个语句来处理权限。 从另一个帐户提供角色ARN,以提供对存储桶执行特定操作的访问权限。 

     {
         "Sid": "1",
         "Effect": "Allow",
         "Principal": {
             "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity SomeID12334"
            },
         "Action": "s3:GetObject",
         "Resource": "arn:aws:s3:::my-bucket/*"
    },
    {
        "Sid": "Stmt1570159952662",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::<accountno>:role/rolename"
        },
        "Action": "s3:*",
        "Resource": "arn:aws:s3:::my-bucket"
    }
相关问题
最新问题