我已经创建了一个用户,并分配了以下内联策略。和此同时,我在s3中创建了一个bucket。
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::bucketname"
当我将此策略应用于特定用户并尝试访问S3时,资源中列出的特定bucket是否不显示?我担心的是,我已经给所有s3都提供了Action,然后我的bucket没有出现在s3中吗?
通过可视化编辑器,我尝试为相同的事情创建策略,策略如下所示
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:ListStorageLensConfigurations",
"s3:ListAccessPointsForObjectLambda",
"s3:GetAccessPoint",
"s3:PutAccountPublicAccessBlock",
"s3:GetAccountPublicAccessBlock",
"s3:ListAllMyBuckets",
"s3:ListAccessPoints",
"s3:ListJobs",
"s3:PutStorageLensConfiguration",
"s3:ListMultiRegionAccessPoints",
"s3:CreateJob"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::bucketname"
}
]
}
为什么要为列表创建单独的操作,并允许对每个资源执行该操作?
有些操作在bucket级别执行(例如列出bucket(,而有些操作在对象级别执行(如下载对象(。
您可以同时授予这两个权限:
以下是用户策略示例中的一个示例-亚马逊简单存储服务:
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action": "s3:ListAllMyBuckets",
"Resource":"*"
},
{
"Effect":"Allow",
"Action":["s3:ListBucket","s3:GetBucketLocation"],
"Resource":"arn:aws:s3:::bucketname"
},
{
"Effect":"Allow",
"Action":[
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:DeleteObject"
],
"Resource":"arn:aws:s3:::bucketname/*"
}
]
}
您也可以将其合并为一个单独的策略:
{
"Version":"2012-10-17",
"Statement":[
{
"Effect": "Allow",
"Action": "*",
"Resource": ["arn:aws:s3:::bucketname", "arn:aws:s3:::bucketname/*"]
}
]
}
然而,请注意;允许所有";策略还为用户授予删除对象和bucket的权限,所以在向用户授予这样的权限时应该非常小心。