我正在尝试制定一项政策AWS允许访问 S3 存储桶中的特定文件夹。根据文档可以通过以下策略来实现
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowUserToSeeBucketListInTheConsole",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::*"
]
},
{
"Sid": "AllowRootAndHomeListingOfCompanyBucket",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::my-policy-test"
],
"Condition": {
"StringEquals": {
"s3:prefix": [
"",
"home/",
"home/test-folder1"
],
"s3:delimiter": [
"/"
]
}
}
},
{
"Sid": "AllowListingOfUserFolder",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::my-policy-test"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"home/test-folder1/*"
]
}
}
},
{
"Sid": "AllowAllS3ActionsInUserFolder",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::my-policy-test/home/test-folder1/*"
]
}
]
}
我创建了一个用户来检查此策略是否按预期工作,但不幸的是它没有。当我以测试用户身份登录时,我能够看到存储桶中的文件夹,但我无法访问我想要的名为“test-folder1”的文件夹。
问题:我如何更改此策略以允许访问 test-folder1?
答案1
您的 S3 存储桶中是否有文件夹?您在策略中home引用了该文件夹,但您在与测试用户的测试中没有提及它。home
查看策略,我期望以下 S3 结构:
arn:aws:s3:::my-policy-test
- home
- home/test-folder1 (should have the rights here)
- other_folder
根据您的政策,这应该有效。