我在我的AWS账户中有很多S3存储桶。但现在我创建了一个IAM用户和一个新的S3存储桶,我想让这个用户能够使用像CyberDuck这样的客户端来访问新的S3存储桶。
我尝试创建了很多策略。但是之后这个用户可以获得列出我所有其他存储桶的权限。如何只给予一个S3存储桶的列出和写入权限?
我在我的AWS账户中有很多S3存储桶。但现在我创建了一个IAM用户和一个新的S3存储桶,我想让这个用户能够使用像CyberDuck这样的客户端来访问新的S3存储桶。
我尝试创建了很多策略。但是之后这个用户可以获得列出我所有其他存储桶的权限。如何只给予一个S3存储桶的列出和写入权限?
首先,您需要创建一个允许访问单个S3存储桶的策略(IAM->策略->创建策略)。您可以使用AWS策略生成器(http://awspolicygen.s3.amazonaws.com/policygen.html),它应该看起来像这样:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1528735049406",
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:HeadBucket",
"s3:ListBucket",
"s3:ListObjects",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::YOURBUCKETNAME"
}
]
}
保存策略并记下您给它的名称,然后转到IAM -> 用户并选择所需的用户。在权限选项卡中,单击“添加权限”,然后选择顶部附近的“直接附加现有策略”。通过其名称找到您的策略,选中其复选框并完成该过程。
"Resource": ["arn:aws:s3:::YOURBUCKETNAME", "arn:aws:s3:::YOURBUCKETNAME/*"]
- John Rotenstein{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAllInBucket",
"Action": [
"s3:*"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::bucket-for-single-user"
}
]
}
bucket-for-single-user.s3.amazonaws.com
。<bucketname>.s3.amazonaws.com
。如果您使用的客户端支持此功能,则不需要s3:ListAllMyBuckets
权限。
Action应按其可以解析的Resource进行分组(Conditions也可能因Action而异)。{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "BucketOperations",
"Effect": "Allow",
"Action": "s3:ListBucket*",
"Resource": "arn:aws:s3:::<bucketname>"
},
{
"Sid": "ObjectOperations",
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:ListMultipartUploads",
"s3:DeleteObject*",
"s3:GetObject*",
"s3:PutObject*"
],
"Resource": "arn:aws:s3:::<bucketname>/*"
},
{
"Sid": "DenyAllOthers",
"Effect": "Deny",
"Action": "s3:*",
"NotResource": [
"arn:aws:s3:::<bucketname>",
"arn:aws:s3:::<bucketname>/*"
]
}
]
}
Sid
,而无需向用户授予其他权限。ReadOnlyAccess
策略会自动向其附加的任何内容授予s3:*
。我建议使用ViewOnlyAccess
(这将不幸地授予s3:ListAllMyBuckets
而没有DenyAllOthers
)。{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "<EXAMPLE_SID>",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::<MYBUCKET>"
},
{
"Sid": "<EXAMPLE_SID>",
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*"
}, {
"Sid": "<EXAMPLE_SID>",
"Effect": "Deny",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::<MYotherBUCKET>"
}, {
"Sid": "<EXAMPLE_SID>",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::<MYBUCKET>/*"
}
]
}
然后也将此策略添加到此用户。该策略将限制对列出的其他S3存储桶的所有类型操作。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "<EXAMPLE_SID>",
"Effect": "Deny",
"Action": [
"s3:PutAnalyticsConfiguration",
"s3:GetObjectVersionTagging",
"s3:CreateBucket",
"s3:ReplicateObject",
"s3:GetObjectAcl",
"s3:DeleteBucketWebsite",
"s3:PutLifecycleConfiguration",
"s3:GetObjectVersionAcl",
"s3:PutBucketAcl",
"s3:PutObjectTagging",
"s3:DeleteObject",
"s3:GetIpConfiguration",
"s3:DeleteObjectTagging",
"s3:GetBucketWebsite",
"s3:PutReplicationConfiguration",
"s3:DeleteObjectVersionTagging",
"s3:GetBucketNotification",
"s3:PutBucketCORS",
"s3:DeleteBucketPolicy",
"s3:GetReplicationConfiguration",
"s3:ListMultipartUploadParts",
"s3:PutObject",
"s3:GetObject",
"s3:PutBucketNotification",
"s3:PutBucketLogging",
"s3:PutObjectVersionAcl",
"s3:GetAnalyticsConfiguration",
"s3:GetObjectVersionForReplication",
"s3:GetLifecycleConfiguration",
"s3:ListBucketByTags",
"s3:GetInventoryConfiguration",
"s3:GetBucketTagging",
"s3:PutAccelerateConfiguration",
"s3:DeleteObjectVersion",
"s3:GetBucketLogging",
"s3:ListBucketVersions",
"s3:ReplicateTags",
"s3:RestoreObject",
"s3:GetAccelerateConfiguration",
"s3:GetBucketPolicy",
"s3:PutEncryptionConfiguration",
"s3:GetEncryptionConfiguration",
"s3:GetObjectVersionTorrent",
"s3:AbortMultipartUpload",
"s3:PutBucketTagging",
"s3:GetBucketRequestPayment",
"s3:GetObjectTagging",
"s3:GetMetricsConfiguration",
"s3:DeleteBucket",
"s3:PutBucketVersioning",
"s3:PutObjectAcl",
"s3:ListBucketMultipartUploads",
"s3:PutMetricsConfiguration",
"s3:PutObjectVersionTagging",
"s3:GetBucketVersioning",
"s3:GetBucketAcl",
"s3:PutInventoryConfiguration",
"s3:PutIpConfiguration",
"s3:GetObjectTorrent",
"s3:ObjectOwnerOverrideToBucketOwner",
"s3:PutBucketWebsite",
"s3:PutBucketRequestPayment",
"s3:GetBucketCORS",
"s3:PutBucketPolicy",
"s3:GetBucketLocation",
"s3:ReplicateDelete",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::<MYotherBUCKET>/*",
"arn:aws:s3:::<MYotherBUCKET>"
]
}
]
}
"Effect": "Deny","Action": "s3:*","Resource": "arn:aws:s3:::<MYotherBUCKET>"
,有什么原因呢?如果它按照你的方式工作,那就没问题了,但更加简洁肯定是更好的选择。 - thisAaronMdev "Effect": "Deny","Action": "s3:*","Resource": "arn:aws:s3:::<MYotherBUCKET>"
的语句时,我遇到了访问被拒绝的错误。因此,我创建了两个策略。 - Sruthin Kumar TKhttps://s3.console.aws.amazon.com/s3/home
相反,用户必须使用 直接控制台链接到存储桶 来访问桶,类似于以下内容:
https://s3.console.aws.amazon.com/s3/buckets/awsexamplebucket/"
我的政策如下:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1589486662000",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::AWSEXAMPLEBUCKET",
"arn:aws:s3:::AWSEXAMPLEBUCKET/*"
]
}
]
}