主页 / server / 问题 / 813872
Accepted
Gaia
Asked: 2016-11-09 12:10:11 +0800 CST

优化 S3 策略以实现完全访问

  • 772

我制定了以下政策:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowUserToSeeBucketListInTheConsole",
            "Action": [
                "s3:GetBucketLocation",
                "s3:ListAllMyBuckets"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::*"
            ]
        },
        {
            "Sid": "AllooUserFullAccessToBucket",
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::mybucket/*"
            ]
        }
    ]
}

通过 Key/Secret(使用 Cloudberry Explorer)访问存储桶时,我可以:

  • 列出所有存储桶
  • 列出、下载、上传和删除到mybucket中,但前提是在存储桶权限上也有此权限

在此处输入图像描述

或者

我需要在策略中添加另一个项目以取消存储桶级别权限要求

{
    "Sid": "AllooUserFullAccessToBucketPre",
    "Effect": "Allow",
    "Action": [
        "s3:*"
    ],
    "Resource": [
        "arn:aws:s3:::mybucket"
    ]
},

是否存在允许策略中只有 2 个项目(AllowUserToSeeBucketListInTheConsole 和单个 AllooUserFullAccessToBucket)而不需要存储桶级别权限的语法?

amazon-s3 amazon-web-services

2 个回答

  1. Best Answer

    根据我的经验,制定一项仅授予对存储桶和内容的访问权限的策略是相当标准的做法。

    我通常会使用这样的策略(不想允许此用户覆盖存储桶权限,或删除存储桶等):

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowS3Browse",
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketLocation",
                "s3:ListAllMyBuckets"
            ],
            "Resource": "*",
        },
        {
            "Sid": "GrantS3BucketAccess",
            "Effect": "Allow",
            "Action": [
                "s3:AbortMultipartUpload",
                "s3:DeleteObject*",
                "s3:Get*",
                "s3:List*",
                "s3:PutBucketAcl",
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:RestoreObject"
            ],
            "Resource": [
                "arn:aws:s3:::bucket",
                "arn:aws:s3:::bucket/*"
            ]
        }        
    ]
}
    • 1

  2. 试试这个:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::mybucket",
                "arn:aws:s3:::mybucket/*"
            ]
        },
        {
            "Effect": "Deny",
            "NotAction": "s3:*",
            "NotResource": [
                "arn:aws:s3:::mybucket",
                "arn:aws:s3:::mybucket/*"
            ]
        }
    ]
}
    • 0

相关问题