我试图在S3中的对象级别限制用户访问。
s3存储桶中有2个文件夹。我试图只授予对对象中一个文件夹的访问权限。
这两个文件夹是:
- 经纪人
- 承运人
这是IAM角色策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::lodeobucket"
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:DeleteObject",
"s3:DeleteObjectVersion"
],
"Resource": "arn:aws:s3:::lodeobucket/broker/*"
}
]
}
但是用户也可以访问运营商文件夹。
有人能告诉我我缺了什么吗?
如果添加以下条件:
"Condition":{"StringLike":{"s3:prefix":["","broker/*"]}}
您的用户将无法进入运营商文件夹。它在控制台中仍然可见。我认为你不能"隐藏";其他文件夹,因为这将中断控制台访问。
您可以尝试以下策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::lodeobucket",
"Condition":{"StringLike":{"s3:prefix":["","broker/*"]}}
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:DeleteObject",
"s3:DeleteObjectVersion"
],
"Resource": "arn:aws:s3:::lodeobucket/broker/*"
}
]
}