继续如何限制 AWS Transfer 中的用户访问?...
我想要一个运行在单个存储桶中的多用户 SFTP 系统,其目录结构如下:
/my-bucket/user/user - user can: list
/in/ - user can: list get put
/out/ - user can: list get
我有一个 S3 存储桶,在其中为用户和 in/out/ 子目录创建了文件夹。
我现在的问题是,我只能使我的策略对我创建的第一个用户正确运行。其余用户最终都会出现权限问题,除非我删除缩小范围的策略,在这种情况下,他们的权限太多了。
我的存储桶是默认的 S3,没有任何配置。它根本不是公开的。
我的基本角色政策是这样的:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::my-bucket"
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::my-bucket/*"
}
]
}
我的停机范围政策是:
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowListingOfUserFolder",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::${transfer:HomeBucket}"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"${transfer:HomeFolder}/*",
"${transfer:HomeFolder}"
]
}
}
},
{
"Sid": "InDirObjectAccess",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObjectVersion",
"s3:DeleteObject",
"s3:GetObjectVersion",
"s3:GetObjectACL",
"s3:PutObjectACL"
],
"Resource": "arn:aws:s3:::${transfer:HomeDirectory}/in/*"
},
{
"Sid": "OutDirObjectAccess",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:DeleteObjectVersion",
"s3:DeleteObject",
"s3:GetObjectVersion",
"s3:GetObjectACL"
],
"Resource": "arn:aws:s3:::${transfer:HomeDirectory}/out/*"
}
]
}
不幸的是,日志对此没有太大帮助。它们只是显示“权限被拒绝”。