我有一个名为my-bucket的S3存储桶...我在此存储桶中有几个子文件夹,我们称它们为:sub-folder1,sub-folder2等
我希望my-bucket-user对存储桶具有读取权限,并对所有子文件夹具有完全控制权限(因此该用户不能在根级别进行写操作)。
我尝试了以下存储桶策略,该策略专门授予每个子文件夹的权限...但是,如果我有很多子文件夹,则该策略将变得太长。
{
"Id": "MyBucketPolicy",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListPermissionOnMyBucket",
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-bucket/*",
"Principal": {
"AWS": [
"arn:aws:iam::773643377756:user/my-bucket-user"
]
}
},
{
"Sid": "FullControlAccessOnSubFolder1",
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-bucket/sub-folder1/*",
"Principal": {
"AWS": [
"arn:aws:iam::773643377756:user/my-bucket-user"
]
}
},
{
"Sid": "FullControlAccessOnSubFolder2",
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-bucket/sub-folder2/*",
"Principal": {
"AWS": [
"arn:aws:iam::773643377756:user/my-bucket-user"
]
}
}
]
}
是否有更好的方法来编写此政策?
答案 0 :(得分:3)
此策略允许列出存储桶的全部内容,但只能上载/下载到子文件夹(而不是存储桶的根目录):
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "s3:ListBucket",
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-bucket"
},
{
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-bucket/*/*"
}
]
}
基本上,表达式my-bucket/*/*强制要求对象的Key中有一个/,这意味着它位于子文件夹中。