AWS 中的细化策略文档权限

发布于 2024-12-09 20:01:41 字数 396 浏览 5 评论 0原文

我希望能够允许通过 IAM 创建的用户在管理控制台中查看一个特定存储桶。此外，我想将其限制为存储桶内的一个文件夹，以便权限为：

my-bucket/folder/* 的 S3 控制台访问权限

我将如何使用策略生成器执行此操作？我目前有：

{
   "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": "*"
    }
  ]
}

但是，当我修改资源位置时 - arn:aws:s3:::my-bucket/folder - 它根本阻止用户使用控制台。这可以吗？我需要做什么才能解决这个问题？

原文

I want to be able to allow users created through IAM to be able to view one specific bucket in the management console. Furthermore, I want to restrict it to a folder within the bucket, such that the permissions would be:

S3 Console access for my-bucket/folder/*

How would I do this using the policy generator? I currently have:

{
   "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": "*"
    }
  ]
}

However, when I modify the Resource location -- arn:aws:s3:::my-bucket/folder -- it prevents the user from being able to use the console at all. Is this possible to do and what do I need to do to be able to fix this?

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

顾北清歌寒 2024-12-16 20:01:41

这个政策让我想起了进行欧拉近似，但这就是我的做法（带有注释来解释）：

{
  "Statement": [
{             // first, allow unlimited access for S3
  "Effect": "Allow",  
  "Action": "s3:*",
  "Resource": "*"
},
{             // second, deny access to all buckets except for the particular bucket
  "Action": [
    "s3:*"
  ],
  "Effect": "Deny",
  "Resource": [
    list-of-my-other-buckets
  ]
},
{             // third, since we've already given * permissions, the bucket has full 
              // permissions, and we need to restrcit all the permissions we don't want to give
  "Action": [
    "s3:AbortMultipartUpload",
    "s3:CreateBucket",
    "s3:DeleteBucket",
    "s3:DeleteObject",
    "s3:DeleteObjectVersion",
    "s3:GetBucketAcl",
    "s3:GetBucketNotification",
    "s3:GetBucketPolicy",
    "s3:GetBucketRequestPayment",
    "s3:GetObjectAcl",
    "s3:GetObjectVersion",
    "s3:GetObjectVersionAcl",
    "s3:PutBucketAcl",
    "s3:PutBucketNotification",
    "s3:PutBucketPolicy",
    "s3:PutBucketRequestPayment",
    "s3:PutBucketVersioning",
    "s3:PutObjectAcl",
    "s3:PutObjectVersionAcl"
  ],      
  "Effect": "Deny",
  "Resource": [
    "arn:aws:s3:::my-bucket/*"
          ]
        }
    ]
}

The policy for this reminded me of doing an Euler apporximation, but this is how I did it (with comments to explain):

{
  "Statement": [
{             // first, allow unlimited access for S3
  "Effect": "Allow",  
  "Action": "s3:*",
  "Resource": "*"
},
{             // second, deny access to all buckets except for the particular bucket
  "Action": [
    "s3:*"
  ],
  "Effect": "Deny",
  "Resource": [
    list-of-my-other-buckets
  ]
},
{             // third, since we've already given * permissions, the bucket has full 
              // permissions, and we need to restrcit all the permissions we don't want to give
  "Action": [
    "s3:AbortMultipartUpload",
    "s3:CreateBucket",
    "s3:DeleteBucket",
    "s3:DeleteObject",
    "s3:DeleteObjectVersion",
    "s3:GetBucketAcl",
    "s3:GetBucketNotification",
    "s3:GetBucketPolicy",
    "s3:GetBucketRequestPayment",
    "s3:GetObjectAcl",
    "s3:GetObjectVersion",
    "s3:GetObjectVersionAcl",
    "s3:PutBucketAcl",
    "s3:PutBucketNotification",
    "s3:PutBucketPolicy",
    "s3:PutBucketRequestPayment",
    "s3:PutBucketVersioning",
    "s3:PutObjectAcl",
    "s3:PutObjectVersionAcl"
  ],      
  "Effect": "Deny",
  "Resource": [
    "arn:aws:s3:::my-bucket/*"
          ]
        }
    ]
}

回复收藏 0 原文

~没有更多了~