AWS中的粒度策略文档权限

时间:2011-10-13 02:28:06

标签: permissions amazon-s3 authorization amazon-web-services group-policy

我希望能够允许通过IAM创建的用户能够在管理控制台中查看一个特定的存储桶 。此外,我想将其限制在存储桶中的文件夹中,以便权限为:

对我的存储桶/文件夹/ *

的S3控制台访问

如何使用策略生成器执行此操作?我目前有:

{
   "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": "*"
    }
  ]
}

但是,当我修改资源位置 - arn:aws:s3:::my-bucket/folder时 - 它会阻止用户完全使用控制台。这可能吗?我需要做些什么才能解决这个问题?

1 个答案:

答案 0 :(得分:1)

这个政策提醒我做欧拉近似,但这就是我做的方式(附有评论解释):

{
  "Statement": [
{             // first, allow unlimited access for S3
  "Effect": "Allow",  
  "Action": "s3:*",
  "Resource": "*"
},
{             // second, deny access to all buckets except for the particular bucket
  "Action": [
    "s3:*"
  ],
  "Effect": "Deny",
  "Resource": [
    list-of-my-other-buckets
  ]
},
{             // third, since we've already given * permissions, the bucket has full 
              // permissions, and we need to restrcit all the permissions we don't want to give
  "Action": [
    "s3:AbortMultipartUpload",
    "s3:CreateBucket",
    "s3:DeleteBucket",
    "s3:DeleteObject",
    "s3:DeleteObjectVersion",
    "s3:GetBucketAcl",
    "s3:GetBucketNotification",
    "s3:GetBucketPolicy",
    "s3:GetBucketRequestPayment",
    "s3:GetObjectAcl",
    "s3:GetObjectVersion",
    "s3:GetObjectVersionAcl",
    "s3:PutBucketAcl",
    "s3:PutBucketNotification",
    "s3:PutBucketPolicy",
    "s3:PutBucketRequestPayment",
    "s3:PutBucketVersioning",
    "s3:PutObjectAcl",
    "s3:PutObjectVersionAcl"
  ],      
  "Effect": "Deny",
  "Resource": [
    "arn:aws:s3:::my-bucket/*"
          ]
        }
    ]
}