因此,我一直在尝试定义一项策略,将一组 IAM 用户限制在 S3 存储桶中的特定文件夹中,但没有成功。我已经摆脱了这篇博文中概述的政策。 http://blogs.aws.amazon.com/security/post/Tx1P2T3LFXXCNB5/Writing-IAM-policies-Grant-access-to-user-specific-folders-in-an-Amazon-S3-bucke
具体来说,我正在使用以下内容:
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowUserToSeeBucketListInTheConsole",
"Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::*"]
},
{
"Sid": "AllowRootAndHomeListingOfCompanyBucket",
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::mybucket"],
"Condition":{"StringEquals":{"s3:delimiter":["/"]}}
},
{
"Sid": "AllowListingOfUserFolder",
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::mybucket"],
"Condition":{"StringLike":{"s3:prefix":["myfolder"]}}
},
{
"Sid": "AllowAllS3ActionsInUserFolder",
"Effect": "Allow",
"Action": ["s3:*"],
"Resource": ["arn:aws:s3:::mybucket/myfolder/*"]
}
]
}
不幸的是,出于某种原因,此策略不仅允许用户导航到指定的文件夹,而且还允许用户导航到同一存储桶中存在的其他文件夹。如何以只能导航到指定文件夹的方式限制用户?
最佳答案
我希望本文档对您有所帮助,步骤被分解并且非常简单:
http://docs.aws.amazon.com/AmazonS3/latest/dev/walkthrough1.html
您也可以使用策略变量。
它允许您在策略中指定占位符。评估策略时,策略变量将替换为来自请求本身的值。
例如 - ${aws:username}:
此外,您还可以查看这个 Stackoverflow 问题(如果看起来相关):
Preventing a user from even knowing about other users (folders) on AWS S3
关于amazon-web-services - AWS : Restricting IAM User to Specific Folder in S3 Bucket,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/25559975/