我有一个公共S3存储桶,里面有两个文件夹,public-folder和private-folder
我希望每个人都能访问public-folder,而我只希望user1能以编程方式访问private-folder。
在S3 bucket中,我添加了以下策略:
{
"Version": "2012-10-17",
"Id": "Policy1568654876568",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/*"
},
{
"Effect": "Deny",
"NotPrincipal": {
"AWS": [
"arn-of-user1"
]
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/private-folder/*"
}
]
}
从IAM,我为user1创建了一个能够访问bucket:的策略
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-bucket"
},
{
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-bucket/*"
}
]
}
有没有更好的方法来实现这个目标?是否可以使用S3策略拒绝所有人访问private-folder,然后使用我为user1定义的IAM策略覆盖该策略?
如果您有public-folder和private-folder,下面的操作不是更容易、更自然吗。以下内容基于bucket及其对象在默认情况下是私有这一事实。
Bucket策略
它允许公众访问public-folder:
{
"Version": "2012-10-17",
"Id": "Policy1568654876568",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/public-folder/*"
}
]
}
用户策略
它允许在private-folder中放置、获取和删除对象,并列出bucket。
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-bucket"
},
{
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-bucket/private-folder/*"
}
]
}
是否可以使用S3策略拒绝所有人访问专用文件夹,然后使用我为user1定义的IAM策略覆盖该策略?
显式拒绝覆盖任何允许。因此,如果您拒绝所有人访问,则不能使用任何IAM策略来允许访问。