AWS 使用策略设置 s3 存储桶目录访问

AWS 使用策略设置 s3 存储桶目录访问

我正在尝试制定一项政策AWS允许访问 S3 存储桶中的特定文件夹。根据文档可以通过以下策略来实现

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowUserToSeeBucketListInTheConsole",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:GetBucketLocation"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::*"
            ]
        },
        {
            "Sid": "AllowRootAndHomeListingOfCompanyBucket",
            "Action": [
                "s3:ListBucket"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::my-policy-test"
            ],
            "Condition": {
                "StringEquals": {
                    "s3:prefix": [
                        "",
                        "home/",
                        "home/test-folder1"
                    ],
                    "s3:delimiter": [
                        "/"
                    ]
                }
            }
        },
        {
            "Sid": "AllowListingOfUserFolder",
            "Action": [
                "s3:ListBucket"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::my-policy-test"
            ],
            "Condition": {
                "StringLike": {
                    "s3:prefix": [
                        "home/test-folder1/*"
                    ]
                }
            }
        },
        {
            "Sid": "AllowAllS3ActionsInUserFolder",
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::my-policy-test/home/test-folder1/*"
            ]
        }
    ]
}

我创建了一个用户来检查此策略是否按预期工作,但不幸的是它没有。当我以测试用户身份登录时,我能够看到存储桶中的文件夹,但我无法访问我想要的名为“test-folder1”的文件夹。

问题:我如何更改此策略以允许访问 test-folder1?

答案1

您的 S3 存储桶中是否有文件夹?您在策略中home引用了该文件夹,但您在与测试用户的测试中没有提及它。home

查看策略,我期望以下 S3 结构:

arn:aws:s3:::my-policy-test
- home
- home/test-folder1 (should have the rights here)
- other_folder

根据您的政策,这应该有效。

相关内容