我制定了以下政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowUserToSeeBucketListInTheConsole",
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::*"
]
},
{
"Sid": "AllooUserFullAccessToBucket",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::mybucket/*"
]
}
]
}
通过 Key/Secret 访问存储桶(使用 Cloudberry Explorer)时,我可以:
- 列出所有存储桶
- 列出、下载、上传和删除我的桶, 但仅当存储桶权限也满足此要求时:
或者
我需要在策略中添加另一项以取消存储桶级别权限要求:
{
"Sid": "AllooUserFullAccessToBucketPre",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::mybucket"
]
},
是否存在语法可以使策略中只有 2 个项目(AllowUserToSeeBucketListInTheConsole 和一个 AllooUserFullAccessToBucket),而不需要存储桶级别的权限?
答案1
根据我的经验,制定仅授予对存储桶及其内容的访问权限的政策是相当标准的做法。
我通常会使用这样的策略(不想允许该用户覆盖存储桶权限,或者删除存储桶等):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowS3Browse",
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource": "*",
},
{
"Sid": "GrantS3BucketAccess",
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:DeleteObject*",
"s3:Get*",
"s3:List*",
"s3:PutBucketAcl",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:RestoreObject"
],
"Resource": [
"arn:aws:s3:::bucket",
"arn:aws:s3:::bucket/*"
]
}
]
}
答案2
尝试一下这个:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::mybucket",
"arn:aws:s3:::mybucket/*"
]
},
{
"Effect": "Deny",
"NotAction": "s3:*",
"NotResource": [
"arn:aws:s3:::mybucket",
"arn:aws:s3:::mybucket/*"
]
}
]
}