因此,我一直试图定义一个策略,将一组IAM用户限制在S3存储桶中的特定文件夹中,但没有成功。我重复了这篇博客文章中概述的政策。http://blogs.aws.amazon.com/security/post/Tx1P2T3LFXXCNB5/Writing-IAM-policies-Grant-access-to-user-specific-folders-in-an-Amazon-S3-bucke
具体来说,我使用以下内容:
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowUserToSeeBucketListInTheConsole",
"Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::*"]
},
{
"Sid": "AllowRootAndHomeListingOfCompanyBucket",
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::mybucket"],
"Condition":{"StringEquals":{"s3:delimiter":["/"]}}
},
{
"Sid": "AllowListingOfUserFolder",
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::mybucket"],
"Condition":{"StringLike":{"s3:prefix":["myfolder"]}}
},
{
"Sid": "AllowAllS3ActionsInUserFolder",
"Effect": "Allow",
"Action": ["s3:*"],
"Resource": ["arn:aws:s3:::mybucket/myfolder/*"]
}
]
}
不幸的是,由于某种原因,此策略不仅允许用户导航到指定的文件夹,还允许用户导航至同一存储桶中的其他文件夹。如何限制用户只能导航到指定的文件夹?
我希望这份文档能帮助你,步骤很简单:
http://docs.aws.amazon.com/AmazonS3/latest/dev/walkthrough1.html
您也可以使用策略变量。
它允许您在策略中指定占位符。在评估策略时,策略变量将替换为来自请求本身的值。例如${aws:username}:
此外,您还可以查看这个堆栈溢出问题(如果看起来相关):
防止用户知道AWS S3 上的其他用户(文件夹)
我以前回答过这个问题,但我将从这里再次回答。最好创建一个用户,然后将其添加到一个组中,然后将组r/w分配给bucket。这是如何编写策略的典型示例
{
"Statement": [
{
"Sid": "sidgoeshere",
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:ListBucket",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::s3bucket",
"arn:aws:s3:::s3bucket/*"
]
}
]
}