堆栈内存溢出
  简体   繁体   English

AWS S3存储桶访问控制

[英]AWS S3 bucket access control

 原文  2018-05-03 21:22:01       amazon-web-services/ amazon-s3/ amazon-ec2

问题描述

In AWS, I (joe.doe@accountXYZ) created a S3 bucket, thus I am this s3 bucket owner. 在AWS中,我(joe.doe@accountXYZ)创建了一个S3存储桶,因此我是此s3存储桶的所有者。

I want to configure this S3 bucket based on the IAM role, thus only some IAM roles, such as [role_xyz, role_abc, role_cde], can can read this bucket. 我想基于IAM角色配置此S3存储桶,因此只有某些IAM角色(例如[role_xyz,role_abc,role_cde])可以读取此存储桶。

From the AWS console, it seems that I can not configure it. 从AWS控制台看,我似乎无法对其进行配置。

Can anyone tell me whether it is possible to do that? 谁能告诉我是否可以这样做?

======== ========

I understand that from the IAM role side you can configure a policy for this s3 resource. 我了解从IAM角色方面,您可以为此s3资源配置策略。 But my question here is on the s3 resource side, whether I can define a access policy based IAM roles. 但是我的问题是在s3资源方面,是否可以定义基于IAM角色的访问策略。

1 个解决方案

解决方案1
 2  2018-05-04 02:14:11

It appears that your requirement is to permit certain specific roles access to a particular Amazon S3 bucket. 看来您的要求是允许某些特定角色访问特定的Amazon S3存储桶。

There are two ways to do this: 有两种方法可以做到这一点:

Option 1: Add permissions to the Role 选项1:向角色添加权限

This is the preferred option. 这是首选选项。 You can add a policy to the IAM Role that grants access to the bucket. 您可以将策略添加到IAM角色,以授予对存储桶的访问权限。 It would look similar to: 它看起来类似于: 

{
    "Id": "Policy1",
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Action": "s3:*",
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::mybucket",
                "arn:aws:s3:::mybucket/*"
            ]
        }
    ]
}

This is a good method because you just add the policy to the desired Role(s), without having to touch the actual buckets. 这是一个很好的方法,因为您只需将策略添加到所需的角色,而无需接触实际的存储桶。

Option 2: Add a Bucket Policy 选项2:添加存储桶策略

This involves putting the permissions on the bucket , which grants access to a specific role. 这涉及将权限放到存储桶中 ,以授予对特定角色的访问权限。 This is less desirable because you would have to put the policy on every bucket and refer to every Role. 这是不太理想的,因为您必须将策略放在每个存储桶上并引用每个角色。

It would look something like: 它看起来像: 

{
    "Id": "Policy1",
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Action": "s3:*",
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::mybucket",
                "arn:aws:s3:::my-bucket/*"
            ],
            "Principal": "arn:aws:iam::123456789012:role/my-role"
        }
    ]
}

Please note that these policies are granting s3:* permissions on the bucket, that might be too wide for your purposes. 请注意,这些策略正在授予存储桶中的s3:*权限,对于您的用途而言,该权限可能太宽了。 It is always best to only grant the specific, required permissions rather than granting all permissions. 始终最好只授予特定的必需权限,而不是授予所有权限。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 适用于跨账户访问的AWS S3存储桶控制策略 - AWS S3 bucket control policy for cross-account access 控制塔 AWS - 共享 s3 存储桶 - Control Tower AWS - Share s3 bucket 访问客户端的 AWS S3 存储桶 - Access client's AWS S3 bucket 如何构建用于访问控制的 s3 存储桶 - How to structure s3 bucket for access control AWS CloudFront 访问 S3 存储桶被拒绝 - AWS CloudFront access denied to S3 bucket 是否按AWS区域限制对S3存储桶的访问? - Restricting access to an S3 bucket by AWS region? 配置AWS Lambda以访问S3 Bucket - Configuring AWS Lambda to access S3 Bucket AWS S3存储桶策略访问被拒绝 - AWS S3 Bucket policy Access Denyed 拒绝 2 个用户访问 AWS S3 存储桶 - Deny AWS S3 bucket access for 2 users AWS S3 存储桶访问文件权限 - AWS S3 Bucket Access file permission
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM