IAM 策略:用户无法访问 S3 存储桶
IAM Policy: Users cannot access S3 bucket
我已经创建了一个用户并分配了以下内联策略。同时我在 s3 中创建了一个桶。
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::bucketname"
当我将此策略应用于特定用户并尝试访问 S3 时,资源中列出的特定存储桶未显示?
我担心的是我已经对所有 s3 执行了操作,然后我的桶没有出现在 S3 中吗?
通过可视化编辑器,我尝试为同样的事情创建策略,策略如下所示
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:ListStorageLensConfigurations",
"s3:ListAccessPointsForObjectLambda",
"s3:GetAccessPoint",
"s3:PutAccountPublicAccessBlock",
"s3:GetAccountPublicAccessBlock",
"s3:ListAllMyBuckets",
"s3:ListAccessPoints",
"s3:ListJobs",
"s3:PutStorageLensConfiguration",
"s3:ListMultiRegionAccessPoints",
"s3:CreateJob"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::bucketname"
}
]
}
为什么要为列表创建单独的操作并允许对每个资源执行此操作?
一些操作在存储桶级别执行(例如列出存储桶),而一些操作在对象级别执行(例如下载对象)。
您可以同时授予两种权限:
这是来自 User policy examples - Amazon Simple Storage Service 的示例:
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action": "s3:ListAllMyBuckets",
"Resource":"*"
},
{
"Effect":"Allow",
"Action":["s3:ListBucket","s3:GetBucketLocation"],
"Resource":"arn:aws:s3:::bucketname"
},
{
"Effect":"Allow",
"Action":[
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:DeleteObject"
],
"Resource":"arn:aws:s3:::bucketname/*"
}
]
}
您也可以将它们全部组合成一个策略:
{
"Version":"2012-10-17",
"Statement":[
{
"Effect": "Allow",
"Action": "*",
"Resource": ["arn:aws:s3:::bucketname", "arn:aws:s3:::bucketname/*"]
}
]
}
但是请注意,此“全部允许”策略也授予用户删除对象和存储桶的权限,因此在向用户授予此类权限时应格外小心。
我已经创建了一个用户并分配了以下内联策略。同时我在 s3 中创建了一个桶。
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::bucketname"
当我将此策略应用于特定用户并尝试访问 S3 时,资源中列出的特定存储桶未显示? 我担心的是我已经对所有 s3 执行了操作,然后我的桶没有出现在 S3 中吗?
通过可视化编辑器,我尝试为同样的事情创建策略,策略如下所示
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:ListStorageLensConfigurations",
"s3:ListAccessPointsForObjectLambda",
"s3:GetAccessPoint",
"s3:PutAccountPublicAccessBlock",
"s3:GetAccountPublicAccessBlock",
"s3:ListAllMyBuckets",
"s3:ListAccessPoints",
"s3:ListJobs",
"s3:PutStorageLensConfiguration",
"s3:ListMultiRegionAccessPoints",
"s3:CreateJob"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::bucketname"
}
]
}
为什么要为列表创建单独的操作并允许对每个资源执行此操作?
一些操作在存储桶级别执行(例如列出存储桶),而一些操作在对象级别执行(例如下载对象)。
您可以同时授予两种权限:
这是来自 User policy examples - Amazon Simple Storage Service 的示例:
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action": "s3:ListAllMyBuckets",
"Resource":"*"
},
{
"Effect":"Allow",
"Action":["s3:ListBucket","s3:GetBucketLocation"],
"Resource":"arn:aws:s3:::bucketname"
},
{
"Effect":"Allow",
"Action":[
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:DeleteObject"
],
"Resource":"arn:aws:s3:::bucketname/*"
}
]
}
您也可以将它们全部组合成一个策略:
{
"Version":"2012-10-17",
"Statement":[
{
"Effect": "Allow",
"Action": "*",
"Resource": ["arn:aws:s3:::bucketname", "arn:aws:s3:::bucketname/*"]
}
]
}
但是请注意,此“全部允许”策略也授予用户删除对象和存储桶的权限,因此在向用户授予此类权限时应格外小心。