堆栈内存溢出
  简体   繁体   English

使用IAM用户正确配置(最佳)S3存储桶策略

[英]Proper (optimal) configuration of S3 Bucket Policy with IAM User

 原文  2015-07-16 10:50:06       amazon-web-services/ amazon-s3

问题描述

I'd have some experience with S3 bucket policies but recently I've started experimenting with IAM users/groups and S3 bucket ACLs. 我对S3存储桶策略有一定的经验,但是最近我开始尝试使用IAM用户/组和S3存储桶ACL。 What bothers me is that I fail to understand how they work together. 让我感到困扰的是,我不了解他们如何协同工作。 Who overwrites what? 谁覆盖什么? What I want to accomplish is to have specific IAM user (with credentials) that will be used as for uploading in my application. 我要完成的工作是拥有特定的IAM用户(具有凭据),该用户将用于在我的应用程序中上载。 I've attached IAM Policy to it that looks like this: 我已将IAM政策附加到该政策中,如下所示: 

{
    "Version": "2012-10-17",
    "Statement": [
    {
        "Effect": "Allow",
        "Action": [
            "s3:PutObject",
            "s3:GetObject",
            "s3:DeleteObject"
        ],
        "Resource": "arn:aws:s3:::*"
    }
    ]
}

This policy is attached to the IAM user. 此策略已附加到IAM用户。 Then I've created following policy on S3 Bucket: 然后,我在S3 Bucket上创建了以下策略: 

{
    "Version": "2012-10-17",
    "Statement": [
    {
        "Sid": "DefaultPrivate",
        "Effect": "Deny",
        "Principal": "*",
        "Action": "*",
        "Resource": "arn:aws:s3:::xxxxx-xxxxxx-xxxx/*"
    },
    {
        "Sid": "ThumbnailAndGaleryReadOnly",
        "Effect": "Allow",
        "Principal": "*",
        "Action": "s3:GetObject",
        "Resource": [ 
            "arn:aws:s3:::xxxx-xxx-xxxx-xxxx/*/xxxxx/*",
            "arn:aws:s3:::xxxxx-xxxxx-xxxxx/*/xxxxxxx/*"
        ]
    },
    {
        "Sid": "S3UploaderWrite",
        "Effect": "Allow",
        "Principal": {"AWS":"arn:aws:iam::xxxxxxxxxx:user/xxxxxxxx"},
        "Action": [
            "s3:GetObject",
            "s3:PutObject",
            "s3:DeleteObject"
        ],
        "Resource": "arn:aws:s3:::xxxxxxxxxxxx/*"
    }
    ]
}

Unfortunately as long as "Deny" block is present in the S3 policy - it doesn't allow my S3 user to upload files. 不幸的是,只要S3策略中存在“拒绝”阻止,它就不允许我的S3用户上传文件。 Is it possible that I can't "override" Deny for specific user with the "Allow" block (IAM identifier is ok - I've double checked). 是否有可能无法使用“允许”块“覆盖”特定用户的拒绝(IAM标识符正常-我已仔细检查)。 Removing "Deny" blocks get it to work but ... That's not the point. 删除“ Deny”块可以使它正常工作,但这不是重点。

Any comments about the issue? 关于这个问题有何评论? How to explicitly deny everything and then allow only certain actions for certain IAM users/groups/roles ? 如何明确拒绝所有内容,然后仅允许某些IAM用户/组/角色执行某些操作?

Thanks. 谢谢。

1 个解决方案

解决方案1
 0 已采纳  2015-07-16 11:06:48

U could remove deny principal *. U可以删除拒绝主体*。 U could specify ur denied user or roles like "Principal": {"AWS":"arn:aws:iam::xxxxxxxxxx:user/xxxxxxxx"}. 您可以指定被拒绝的用户或角色,例如“ Principal”:{“ AWS”:“ arn:aws:iam :: xxxxxxxxxx:user / xxxxxxxx”}。 Its solve ur problem. 它解决了你的问题。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 S3存储桶上的IAM策略 - IAM policy on S3 bucket IAM策略,为用户列出S3存储桶中的特定文件夹 - IAM Policy to list specific folders inside a S3 bucket for an user 基于用户标签确定 S3 Bucket 访问的 IAM 策略 - IAM Policy to determine S3 Bucket access based on user tags 在Amazon S3存储桶上返回403 Forbidden的IAM用户策略 - IAM user policy returning 403 Forbidden on Amazon S3 bucket 即使在 S3 存储桶策略中指定了 IAM 用户,访问也被拒绝 - Access is denied even if IAM user is specified in S3 bucket policy 为什么存储桶策略不提供 IAM 用户列出 s3 存储桶,即使为用户设置了存储桶策略? - Why bucket policy does not provide IAM user to list s3 buckets even bucket policy is set for the user? 对S3存储桶的IAM策略的权限被拒绝 - Permission denied for IAM policy to S3 bucket S3存储桶策略和IAM角色冲突 - S3 Bucket Policy and IAM Role Conflicting IAM策略中的S3存储桶加密限制 - S3 bucket encryption restriction in IAM policy AWS:s3 存储桶策略不授予 IAM 用户上传到存储桶的权限,引发 403 错误 - AWS: s3 bucket policy does not give IAM user access to upload to bucket, throws 403 error
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM