问题描述
我在S3上有一个类似于images.mysite.com的简单存储桶,而其他包含备份的存储桶等.
I have a simple bucket that looks like images.mysite.com on my S3 and other buckets containing backups, etc.
我想允许特定用户能够访问images.mysite.com存储桶以上传图像.但是,我不希望他看到其他任何存储桶.甚至它们都不存在.
I want to allow a specific user to be able to access the images.mysite.com bucket in order to upload images. However, I DO NOT want him to see any of the other buckets; not even that they exist.
我无法制定出可以做到这一点的政策;每次我尝试限制性的操作时,最终都会阻止任何存储桶的列表.
I could not make a policy that does this; every time I try something restrictive, it ends up blocking the listing of any buckets.
推荐答案
我已经尝试了一段时间,最后提出了一个可行的解决方案.您必须根据执行的操作类型使用不同的资源".另外,我在上一个答案中包括了一些缺失的动作(例如DeleteObject),并限制了其他一些动作(例如PutBucketAcl).
I've been trying this for a while and finally came up with a working solution. You must use different "Resources" depending on the kind of action you're performing. Also I included some missing actions in the previous answer (like DeleteObject) and restricting some more (like PutBucketAcl).
以下IAM政策现在对我有效:
The following IAM policy is working for me now:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:ListBucketMultipartUploads"
],
"Resource": "arn:aws:s3:::itnighq",
"Condition": {}
},
{
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectVersion",
"s3:GetObjectVersionAcl",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:PutObjectVersionAcl"
],
"Resource": "arn:aws:s3:::itnighq/*",
"Condition": {}
},
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*",
"Condition": {}
}
]
}
有关存储桶的操作和有关对象的操作必须具有不同的规则.
The actions regarding a bucket and those regarding objects must have different arn.
这篇关于是否有一个S3策略将访问权限限制为只能看到/访问一个存储桶?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!