Amazon-Web-Services

AWS 使用策略設置 s3 儲存桶目錄訪問權限

  • December 11, 2018

我正在嘗試在AWS上創建一個策略,允許訪問 s3 儲存桶中的特定文件夾。根據文件,這可以通過以下策略完成

{
   "Version": "2012-10-17",
   "Statement": [
       {
           "Sid": "AllowUserToSeeBucketListInTheConsole",
           "Action": [
               "s3:ListAllMyBuckets",
               "s3:GetBucketLocation"
           ],
           "Effect": "Allow",
           "Resource": [
               "arn:aws:s3:::*"
           ]
       },
       {
           "Sid": "AllowRootAndHomeListingOfCompanyBucket",
           "Action": [
               "s3:ListBucket"
           ],
           "Effect": "Allow",
           "Resource": [
               "arn:aws:s3:::my-policy-test"
           ],
           "Condition": {
               "StringEquals": {
                   "s3:prefix": [
                       "",
                       "home/",
                       "home/test-folder1"
                   ],
                   "s3:delimiter": [
                       "/"
                   ]
               }
           }
       },
       {
           "Sid": "AllowListingOfUserFolder",
           "Action": [
               "s3:ListBucket"
           ],
           "Effect": "Allow",
           "Resource": [
               "arn:aws:s3:::my-policy-test"
           ],
           "Condition": {
               "StringLike": {
                   "s3:prefix": [
                       "home/test-folder1/*"
                   ]
               }
           }
       },
       {
           "Sid": "AllowAllS3ActionsInUserFolder",
           "Effect": "Allow",
           "Action": [
               "s3:*"
           ],
           "Resource": [
               "arn:aws:s3:::my-policy-test/home/test-folder1/*"
           ]
       }
   ]
}

我創建了一個使用者來檢查此策略是否按預期工作,但不幸的是它沒有。當我使用測試使用者登錄時,我可以看到儲存桶中的文件夾,但我無法訪問我想要的名為“test-folder1”的文件夾。

**問題:**如何更改此策略以允許訪問 test-folder1?

home您的 S3 儲存桶中有文件夾嗎?您指的是home策略中的文件夾,但您沒有在測試使用者的測試中提及它。

查看該策略,我期望以下 S3 結構:

arn:aws:s3:::my-policy-test
- home
- home/test-folder1 (should have the rights here)
- other_folder

鑑於您的政策,這應該可行。

引用自:https://serverfault.com/questions/943816