您是否难以理解S3 IAM策略和指令?您无法理解它们的文档吗?我也有同样的问题。
我曾经遇到这样一种情况,需要将多个IAM用户从特定文件夹和几个存储桶中锁定,除了其中一个存储桶以外,并且他们大部分的解决方案和示例都让我感到非常困惑。在搜索网络并没有找到我需要的内容之后,我找到了一个资源(http://blogs.aws.amazon.com/security/post/Tx1P2T3LFXXCNB5/Writing-IAM-policies-Grant-access-to-user-specific-folders-in-an-Amazon-S3-bucke),这篇文章非常清晰易懂,但需要进行一些修改,最终得到了下面的策略...
该策略允许用户访问存储桶中的特定文件夹,但拒绝访问同一存储桶中的任何其他列出的文件夹。请注意,您将无法阻止他们查看文件夹的内容,也无法阻止他们看到其他存储桶的存在,但是,他们将无法访问您选择的存储桶/文件夹。
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowUserToSeeBucketListInTheConsole",
"Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::*"]
},
{
"Sid": "AllowRootAndHomeListingOfCompanyBucket",
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::yourbucketname"],
"Condition":{"StringEquals":{"s3:prefix":["","yourfoldername/"],"s3:delimiter":["/"]}}
},
{
"Sid": "AllowListingOfUserFolder",
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::yourbucketname"],
"Condition":{"StringLike":{"s3:prefix":["yourfoldername/*"]}}
},
{
"Sid": "AllowAllS3ActionsInUserFolder",
"Effect": "Allow",
"Action": ["s3:GetObject"],
"Resource": ["arn:aws:s3:::yourbucketname/yourfoldername/*"]
},
{
"Action": [
"s3:*"
],
"Sid": "Stmt1375581921000",
"Resource": [
"arn:aws:s3:::yourbucketname/anotherfolder1/*",
"arn:aws:s3:::yourbucketname/anotherfolder2/*",
"arn:aws:s3:::yourbucketname/anotherfolder3/*",
"arn:aws:s3:::yourbucketname/anotherfolder4/*"
],
"Effect": "Deny"
}
]
}
"NotResource": [ ""arn:aws:s3:::yourbucketname/yourfoldername/*" ]-- 而不是列出所有的例外情况。 - drzaus