我有一家供应商,需要每晚将CSV文件和ZIP文件上传到AWS S3存储桶。显然,我不希望他们看到/访问我的其他存储桶。在与他们反复交流之后,他们完成此每晚任务的唯一方法是将以下策略应用于其用户的IAM组:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::*"
}
]
}
这显然不是理想的选择,我真的希望他们的用户使用更具限制性的策略。我已经使用IAM Policy Simulator测试了许多其他策略,并且在测试ListBucket和PutObject时,它们都导致了“拒绝-隐式拒绝(没有匹配的语句)”结果。我还从存储桶中删除了“阻止所有公共访问”设置,以为它正在创建固有的“拒绝”状态。
我尝试过的许多政策中有一些是
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::mybucket/*"
}
]
}
和
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"s3:ListBucket"
],
"Resource":"arn:aws:s3:::mybucket"
},
{
"Effect":"Allow",
"Action":[
"s3:PutObject",
"s3:GetObject"
],
"Resource":"arn:aws:s3:::mybucket/*"
}
]
}
和
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::mybucket",
"arn:aws:s3:::mybucket/*"
]
}
]
}
对此将提供任何帮助。在此先感谢您的几分钟。
答案 0 :(得分:1)
更新:
我的进一步测试以及我的供应商进行的广泛测试都证实了这一要求,可以根据需要进行工作。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::mybucket",
"arn:aws:s3:::mybucket/*"
]
}
]
}