问题描述
我的 S3 上有一个看起来像 images.mysite.com 的简单存储桶以及其他包含备份等的存储桶.
I have a simple bucket that looks like images.mysite.com on my S3 and other buckets containing backups, etc.
我希望允许特定用户访问 images.mysite.com 存储桶以上传图片.但是,我不希望他看到任何其他桶;甚至不知道它们存在.
I want to allow a specific user to be able to access the images.mysite.com bucket in order to upload images. However, I DO NOT want him to see any of the other buckets; not even that they exist.
我无法制定执行此操作的政策;每次我尝试一些限制性的东西时,它最终都会阻止任何存储桶的列表.
I could not make a policy that does this; every time I try something restrictive, it ends up blocking the listing of any buckets.
推荐答案
我已经尝试了一段时间,终于想出了一个可行的解决方案.您必须根据您正在执行的操作类型使用不同的资源".此外,我在上一个答案中包含了一些缺失的操作(例如 DeleteObject)并限制了更多操作(例如 PutBucketAcl).
I've been trying this for a while and finally came up with a working solution. You must use different "Resources" depending on the kind of action you're performing. Also I included some missing actions in the previous answer (like DeleteObject) and restricting some more (like PutBucketAcl).
以下 IAM 政策现在对我有用:
The following IAM policy is working for me now:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:ListBucketMultipartUploads"
],
"Resource": "arn:aws:s3:::itnighq",
"Condition": {}
},
{
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectVersion",
"s3:GetObjectVersionAcl",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:PutObjectVersionAcl"
],
"Resource": "arn:aws:s3:::itnighq/*",
"Condition": {}
},
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*",
"Condition": {}
}
]
}
关于桶的动作和关于对象的动作必须有不同的arn.
The actions regarding a bucket and those regarding objects must have different arn.
这篇关于是否有 S3 策略限制访问只能查看/访问一个存储桶?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!