创建单个 IAM 用户以仅访问特定的 S3 存储桶
[英]Create a single IAM user to access only specific S3 bucket
问题描述
I have many S3 buckets in my AWS account.
我的 AWS 账户中有许多 S3 存储桶。 But now I created an IAM user and a new S3 bucket, I would like to give this user the ability to access the new S3 bucket using a client like CyberDuck.但是现在我创建了一个 IAM 用户和一个新的 S3 存储桶,我想让这个用户能够使用像 CyberDuck 这样的客户端访问新的 S3 存储桶。
I tried to create so many policies.我试图制定这么多政策。 But after that this user getting permission to list all my other buckets also.但在那之后,这个用户也获得了列出我所有其他存储桶的权限。 How can I give access to listing and writing access to a single S3 bucket?如何授予对单个 S3 存储桶的列出和写入访问权限?
5 个解决方案
解决方案1
7 2018-06-11 16:46:07
First you create a Policy to allow access to a single S3 bucket (IAM -> Policies -> Create Policy).首先,您创建一个策略以允许访问单个 S3 存储桶(IAM -> 策略 -> 创建策略)。 You can use AWS Policy Generator ( http://awspolicygen.s3.amazonaws.com/policygen.html ), it should look something like this:您可以使用 AWS Policy Generator ( http://awspolicygen.s3.amazonaws.com/policygen.html ),它应该如下所示:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1528735049406",
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:HeadBucket",
"s3:ListBucket",
"s3:ListObjects",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::YOURBUCKETNAME"
}
]
}
Save the policy and note the name you gave to it, then go to IAM -> Users and select the desired user.保存策略并记下您为其指定的名称,然后转到 IAM -> 用户并选择所需的用户。 In the permissions tab, click 'Add permissions', then select 'Attach existing policies directly' near the top.在权限选项卡中,单击“添加权限”,然后选择顶部附近的“直接附加现有策略”。 Find your policy by its name, tick its checkbox and complete the process.按名称查找您的保单,勾选其复选框并完成该过程。
解决方案2
3 2018-06-11 16:52:58
Per this ( https://aws.amazon.com/blogs/security/writing-iam-policies-grant-access-to-user-specific-folders-in-an-amazon-s3-bucket/ )根据这个( https://aws.amazon.com/blogs/security/writing-iam-policies-grant-access-to-user-specific-folders-in-an-amazon-s3-bucket/ )
they'll need to be able to at least list all the buckets.他们至少需要能够列出所有的桶。 But other than that, this also provides an example policy, which I just used last night for my own account, so I can confirm that it works.但除此之外,这也提供了一个示例策略,我昨晚刚刚将其用于我自己的帐户,因此我可以确认它是否有效。
Update Okay, I've tested and confirmed using CyberDuck that the following policy (customized to your environment of course) will prevent users from viewing all root buckets, and only allow them access to the bucket you specify:更新好的,我已经使用 CyberDuck 进行了测试和确认,以下策略(当然针对您的环境进行了自定义)将阻止用户查看所有根存储桶,并且只允许他们访问您指定的存储桶:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAllInBucket",
"Action": [
"s3:*"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::bucket-for-single-user"
}
]
}
Just make sure that when you specify the path in CyberDuck, that you enter it as: bucket-for-single-user.s3.amazonaws.com .只需确保在 CyberDuck 中指定路径时,将其输入为: bucket-for-single-user.s3.amazonaws.com 。
Also, only START unrestricted like that, just to make sure it's working for you (since access appears to be an issue).此外,只有像这样不受限制地开始,只是为了确保它对你有用(因为访问似乎是一个问题)。 After that, apply restrictions , you know...least privilege and all.之后,应用限制,你知道......最低特权和所有。
解决方案3
2 2018-08-06 22:32:26
According to Cyberduck Help / Howto / Amazon S3 , it supports directly entering the Bucket name, as <bucketname>.s3.amazonaws.com .根据Cyberduck Help / Howto / Amazon S3 ,它支持直接输入 Bucket 名称,如<bucketname>.s3.amazonaws.com 。 If this is possible with the client you are using, you don't need s3:ListAllMyBuckets permissions.如果您使用的客户端可以做到这一点,则您不需要s3:ListAllMyBuckets权限。
Action s should be grouped by the Resource s that they can parse ( Conditions are also potentially different per Action ). Action应该按它们可以解析的Resource分组(每个Action 的条件也可能不同)。
This IAM policy will allow full control of all the content (aka in the bucket ) without controlling of the S3 bucket subresources (aka of the bucket ):此 IAM 策略将允许完全控制所有内容(也称为存储桶),而无需控制 S3 存储桶子资源(也称为存储桶):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "BucketOperations",
"Effect": "Allow",
"Action": "s3:ListBucket*",
"Resource": "arn:aws:s3:::<bucketname>"
},
{
"Sid": "ObjectOperations",
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:ListMultipartUploads",
"s3:DeleteObject*",
"s3:GetObject*",
"s3:PutObject*"
],
"Resource": "arn:aws:s3:::<bucketname>/*"
},
{
"Sid": "DenyAllOthers",
"Effect": "Deny",
"Action": "s3:*",
"NotResource": [
"arn:aws:s3:::<bucketname>",
"arn:aws:s3:::<bucketname>/*"
]
}
]
}
If you aren't specifically trying to lock the IAM user out of every possible public S3 bucket, you can leave the "DenyAllOthers" Sid off, without granting additional permissions to the users.如果您没有特别尝试将 IAM 用户锁定在每个可能的公共 S3 存储桶之外,您可以关闭“DenyAllOthers” Sid ,而无需向用户授予额外权限。
FYI, the AWS ReadOnlyAccess policy automatically gives s3:* to anything it's attached to.仅供参考,AWS ReadOnlyAccess策略会自动为它所附加的任何内容提供s3:* 。 I recommend ViewOnlyAccess (which will unfortunately grant s3:ListAllMyBuckets without the DenyAllOthers ).我推荐ViewOnlyAccess (不幸的是,它会在没有s3:ListAllMyBuckets情况下授予s3:ListAllMyBuckets DenyAllOthers )。
解决方案4
1 2019-11-08 04:59:48
I have many S3 buckets in my AWS account.我的AWS账户中有很多S3存储桶。 But now I created an IAM user and a new S3 bucket, I would like to give this user the ability to access the new S3 bucket using a client like CyberDuck.但是现在我创建了一个IAM用户和一个新的S3存储桶,我希望使该用户能够使用CyberDuck之类的客户端访问新的S3存储桶。
I tried to create so many policies.我试图制定许多政策。 But after that this user getting permission to list all my other buckets also.但是在那之后,该用户也获得了列出我所有其他存储桶的权限。 How can I give access to listing and writing access to a single S3 bucket?如何授予对单个S3存储桶的列表访问权限和写入权限?
解决方案5
0 2018-06-12 06:11:56
Create my own policy and working for me.创建我自己的政策并为我工作。 The IAM user can just list all bucket. IAM 用户可以只列出所有存储桶。 But cant do anything on another bucket.但是不能在另一个桶上做任何事情。 The user can only get access to the specific bucket with reading, write, delete files privileges.用户只能访问具有读取、写入、删除文件权限的特定存储桶。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "<EXAMPLE_SID>",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::<MYBUCKET>"
},
{
"Sid": "<EXAMPLE_SID>",
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*"
}, {
"Sid": "<EXAMPLE_SID>",
"Effect": "Deny",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::<MYotherBUCKET>"
}, {
"Sid": "<EXAMPLE_SID>",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::<MYBUCKET>/*"
}
]
}
Then add this policy also to this user.然后将此策略也添加到此用户。 This policy will restrict all type of operation to listed other s3 bucket.此策略将所有类型的操作限制为列出的其他 s3 存储桶。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "<EXAMPLE_SID>",
"Effect": "Deny",
"Action": [
"s3:PutAnalyticsConfiguration",
"s3:GetObjectVersionTagging",
"s3:CreateBucket",
"s3:ReplicateObject",
"s3:GetObjectAcl",
"s3:DeleteBucketWebsite",
"s3:PutLifecycleConfiguration",
"s3:GetObjectVersionAcl",
"s3:PutBucketAcl",
"s3:PutObjectTagging",
"s3:DeleteObject",
"s3:GetIpConfiguration",
"s3:DeleteObjectTagging",
"s3:GetBucketWebsite",
"s3:PutReplicationConfiguration",
"s3:DeleteObjectVersionTagging",
"s3:GetBucketNotification",
"s3:PutBucketCORS",
"s3:DeleteBucketPolicy",
"s3:GetReplicationConfiguration",
"s3:ListMultipartUploadParts",
"s3:PutObject",
"s3:GetObject",
"s3:PutBucketNotification",
"s3:PutBucketLogging",
"s3:PutObjectVersionAcl",
"s3:GetAnalyticsConfiguration",
"s3:GetObjectVersionForReplication",
"s3:GetLifecycleConfiguration",
"s3:ListBucketByTags",
"s3:GetInventoryConfiguration",
"s3:GetBucketTagging",
"s3:PutAccelerateConfiguration",
"s3:DeleteObjectVersion",
"s3:GetBucketLogging",
"s3:ListBucketVersions",
"s3:ReplicateTags",
"s3:RestoreObject",
"s3:GetAccelerateConfiguration",
"s3:GetBucketPolicy",
"s3:PutEncryptionConfiguration",
"s3:GetEncryptionConfiguration",
"s3:GetObjectVersionTorrent",
"s3:AbortMultipartUpload",
"s3:PutBucketTagging",
"s3:GetBucketRequestPayment",
"s3:GetObjectTagging",
"s3:GetMetricsConfiguration",
"s3:DeleteBucket",
"s3:PutBucketVersioning",
"s3:PutObjectAcl",
"s3:ListBucketMultipartUploads",
"s3:PutMetricsConfiguration",
"s3:PutObjectVersionTagging",
"s3:GetBucketVersioning",
"s3:GetBucketAcl",
"s3:PutInventoryConfiguration",
"s3:PutIpConfiguration",
"s3:GetObjectTorrent",
"s3:ObjectOwnerOverrideToBucketOwner",
"s3:PutBucketWebsite",
"s3:PutBucketRequestPayment",
"s3:GetBucketCORS",
"s3:PutBucketPolicy",
"s3:GetBucketLocation",
"s3:ReplicateDelete",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::<MYotherBUCKET>/*",
"arn:aws:s3:::<MYotherBUCKET>"
]
}
]
}
解决方案6
0 2020-05-15 14:22:17
I was recently able to get this to work using Amazon's documentation .我最近能够使用亚马逊的文档使其工作。 The key for me was to point the IAM User to the specific bucket NOT the S3 console .对我来说,关键是将 IAM 用户指向特定的存储桶,而不是 S3 控制台。 Per the documentation, "Warning: After you change these permissions, the user gets an Access Denied error when they access the main Amazon S3 console . The main console link is similar to the following:根据文档“警告:更改这些权限后,用户在访问 Amazon S3主控制台时会收到拒绝访问错误。主控制台链接类似于以下内容:
https://s3.console.aws.amazon.com/s3/home https://s3.console.aws.amazon.com/s3/home
Instead, the user must access the bucket using a direct console link to the bucket, similar to the following:相反,用户必须使用指向存储桶的直接控制台链接访问存储桶,类似于以下内容:
https://s3.console.aws.amazon.com/s3/buckets/awsexamplebucket/ " https://s3.console.aws.amazon.com/s3/buckets/awsexamplebucket/ "
My policy is below:我的政策如下:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1589486662000",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::AWSEXAMPLEBUCKET",
"arn:aws:s3:::AWSEXAMPLEBUCKET/*"
]
}
]
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.