堆栈内存溢出
  简体   繁体   English

Amazon S3存储桶策略,我在做什么错?

[英]Amazon S3 bucket policy, what am I doing wrong?

 原文  2018-04-19 15:22:00       json/ amazon-web-services/ amazon-s3

问题描述

I used the Policy Generator to create a simple rule for my bucket; 我使用策略生成器为我的存储桶创建了一条简单规则; the rules should allow the following intended effect: 该规则应具有以下预期效果:

  • root access 根访问权限
  • limit access to given IAM user 将访问权限限制为给定的IAM用户
  • allow read-only access to everyone 允许所有人只读访问

To this purpose I wrote the following rule, but somethng didnt work as expected, and in particular, I have totally lost access to the bucket elements, was getting "Access Denied" in all cases, root included: 为此,我编写了以下规则,但是某件事没有按预期工作,特别是我完全失去了对存储桶元素的访问,在所有情况下都获得“访问被拒绝”,包括root:

在此处输入图片说明

edit : with @jarmod answer I was able to set the intended functionality, however it trigger a warning, about the bucket being public, I do not see the difference respect having no policy, the bucket is still publicly accessible for read-only. 编辑 :使用@jarmod答案,我能够设置预期的功能,但是它会触发有关存储桶公开的警告,我看不到没有政策的区别,存储桶仍可公开访问以只读。 What is the difference? 有什么区别?

在此处输入图片说明

1 个解决方案

解决方案1
 1 已采纳  2018-04-20 00:13:19

Perhaps you could do this as follows: 也许您可以这样做,如下所示:

  1. for all users, allow action s3:GetObject 对于所有用户,允许操作s3:GetObject
  2. for all users except root and your specific IAM user, deny all actions except s3:GetObject 对于除root和您的特定IAM用户以外的所有用户,请拒绝s3:GetObject以外的所有操作

You could do this with a policy something like this: 您可以使用类似以下的策略来做到这一点: 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": [
                "arn:aws:s3:::mybucket/*"
            ]
        },
        {
            "Effect": "Deny",
            "Principal": "*",
            "NotAction": "s3:GetObject",
            "Resource": [
                "arn:aws:s3:::mybucket/*"
            ],
            "Condition": {
                "StringNotLike": {
                    "aws:userId": [
                        "iam-userid-here",
                        "root-userid-here"
                    ]
                }
            }
        }
    ]
}

To get iam-userid-here , run aws iam list-users and retrieve the UserId for the IAM user. iam-userid-here获取iam-userid-here ,请运行aws iam list-users并检索IAM用户的UserId。

Similarly, to get root-userid-here , simply retrieve the account number from the Arn of the previous aws iam list-users output. 同样,要root-userid-here获得root-userid-here ,只需从先前的aws iam list-users输出的Arn中检索帐号。 The root account userId is the AWS account number. 根帐户userId AWS帐号。

The IAM user indicated by iam-userid-here could then have an IAM policy allowing S3 access. 然后,由iam-userid-here指示的iam-userid-here可以具有允许S3访问的IAM策略。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Amazon S3存储桶策略允许访问仅特定的http - Amazon S3 bucket policy allow access to ONLY specific http JSON.NET的JsonConvert我在做什么错 - What am I doing wrong with JSON.NET's JsonConvert 如何在S3存储桶策略中执行OR条件? - How do I do an OR condition in an S3 bucket policy? 这个JSON我在做什么错? - What am I doing wrong with this JSON? 我对这个动态查询做错了什么? - What am i doing wrong with this dynamic query? 我在这个解析中做错了什么? - What am I doing wrong in this parsing? 我对这个阵列和foreach做错了什么? - what am i doing wrong with this array and foreach? Django和AJAX-我在做什么错? - Django and AJAX - what am I doing wrong? 这个JSON输出有什么问题? - What am I doing wrong with this JSON output? 我这样做错了吗? - Am I doing this wrong?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM