[英]AWS custom IAM policy issue
Is anyone help me with custom IAM policy with bellow criteria有没有人帮我制定符合以下标准的自定义 IAM 政策
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1633084481455", "Action": "s3:*", "Effect": "Allow", "Resource": "arn:aws:s3:::abc-ftp" }, { "Sid": "Stmt1633085010153", "Action": [ "s3:AbortMultipartUpload", "s3:BypassGovernanceRetention", "s3:CreateAccessPoint", "s3:CreateAccessPointForObjectLambda", "s3:CreateMultiRegionAccessPoint", "s3:DeleteObject", "s3:DeleteObjectTagging", "s3:DeleteObjectVersion", "s3:DeleteObjectVersionTagging", "s3:DeleteStorageLensConfiguration", "s3:DeleteStorageLensConfigurationTagging", "s3:DescribeJob", "s3:DescribeMultiRegionAccessPointOperation", "s3:GetAccelerateConfiguration", "s3:GetAccessPoint", "s3:GetAccessPointConfigurationForObjectLambda", "s3:GetAccessPointForObjectLambda", "s3:GetAccessPointPolicy", "s3:GetAccessPointPolicyForObjectLambda", "s3:GetAccessPointPolicyStatus", "s3:GetAccessPointPolicyStatusForObjectLambda", "s3:GetAccountPublicAccessBlock", "s3:GetAnalyticsConfiguration", "s3:GetBucketAcl", "s3:GetBucketCORS", "s3:GetBucketLocation", "s3:GetBucketLogging", "s3:GetBucketNotification", "s3:GetBucketObjectLockConfiguration", "s3:GetBucketOwnershipControls", "s3:GetBucketPolicy", "s3:GetBucketPolicyStatus", "s3:GetBucketPublicAccessBlock", "s3:GetBucketRequestPayment", "s3:GetBucketTagging", "s3:GetBucketVersioning", "s3:GetBucketWebsite", "s3:GetEncryptionConfiguration", "s3:GetIntelligentTieringConfiguration", "s3:GetInventoryConfiguration", "s3:GetJobTagging", "s3:GetLifecycleConfiguration", "s3:GetMetricsConfiguration", "s3:GetMultiRegionAccessPoint", "s3:GetMultiRegionAccessPointPolicy", "s3:GetMultiRegionAccessPointPolicyStatus", "s3:GetObject", "s3:GetObjectAcl", "s3:GetObjectRetention", "s3:GetObjectTagging", "s3:GetObjectTorrent", "s3:GetObjectVersion", "s3:GetObjectVersionAcl", "s3:GetObjectVersionForReplication", "s3:GetObjectVersionTagging", "s3:GetObjectVersionTorrent", "s3:GetReplicationConfiguration", "s3:GetStorageLensConfiguration", "s3:GetStorageLensConfigurationTagging", "s3:GetStorageLensDashboard", "s3:ListAccessPoints", "s3:ListAccessPointsForObjectLambda", "s3:ListAllMyBuckets", "s3:ListBucket", "s3:ListBucketMultipartUploads", "s3:ListBucketVersions", "s3:ListJobs", "s3:ListMultiRegionAccessPoints", "s3:ListMultipartUploadParts", "s3:ListStorageLensConfigurations", "s3:ObjectOwnerOverrideToBucketOwner", "s3:PutAccelerateConfiguration", "s3:PutAccessPointConfigurationForObjectLambda", "s3:PutAccessPointPolicy", "s3:PutAccessPointPolicyForObjectLambda", "s3:PutAccountPublicAccessBlock", "s3:PutAnalyticsConfiguration", "s3:PutBucketAcl", "s3:PutBucketCORS", "s3:PutBucketLogging", "s3:PutBucketNotification", "s3:PutBucketObjectLockConfiguration", "s3:PutBucketOwnershipControls", "s3:PutBucketPolicy", "s3:PutBucketPublicAccessBlock", "s3:PutBucketRequestPayment", "s3:PutBucketTagging", "s3:PutBucketVersioning", "s3:PutBucketWebsite", "s3:PutEncryptionConfiguration", "s3:PutIntelligentTieringConfiguration", "s3:PutInventoryConfiguration", "s3:PutJobTagging", "s3:PutLifecycleConfiguration", "s3:PutMetricsConfiguration", "s3:PutMultiRegionAccessPointPolicy", "s3:PutObject", "s3:PutObjectAcl", "s3:PutObjectLegalHold", "s3:PutObjectRetention", "s3:PutObjectTagging", "s3:PutObjectVersionAcl", "s3:PutObjectVersionTagging", "s3:PutReplicationConfiguration", "s3:PutStorageLensConfiguration", "s3:PutStorageLensConfigurationTagging", "s3:ReplicateDelete", "s3:ReplicateObject", "s3:ReplicateTags", "s3:RestoreObject", "s3:UpdateJobPriority", "s3:UpdateJobStatus" ], "Effect": "Allow", "Resource": "arn:aws:s3:::abc-ftp/*" } ] }
To grant a specific user access to an Amazon S3 bucket, you should add a policy to the IAM User .要授予特定用户访问 Amazon S3 存储桶的权限,您应该向 IAM User 添加策略。
Here is a sample IAM policy from User policy examples - Amazon Simple Storage Service :以下是来自用户策略示例 - Amazon Simple Storage Service的示例 IAM 策略:
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action": "s3:ListAllMyBuckets",
"Resource":"*"
},
{
"Effect":"Allow",
"Action":["s3:ListBucket","s3:GetBucketLocation"],
"Resource":"arn:aws:s3:::awsexamplebucket1"
},
{
"Effect":"Allow",
"Action":[
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:DeleteObject"
],
"Resource":"arn:aws:s3:::awsexamplebucket1/*"
}
]
}
The above policy allows the user to list the names of all buckets, and upload/download to the awsexamplebucket1
bucket.上述策略允许用户列出所有存储桶的名称,并上传/下载到awsexamplebucket1
存储桶。
Anybody can access a CloudFront distribution via HTTP. Access is not restricted via IAM.任何人都可以通过 HTTP 访问 CloudFront 分配。访问不受IAM 限制。
If you have private content, you can Serve private content with signed URLs and signed cookies - Amazon CloudFront .如果您有私人内容,您可以使用签名 URL 和签名 cookies - Amazon CloudFront 提供私人内容。
IAM is only used to grant permission to users to manage the distribution (eg change the configuration). IAM 仅用于授予用户管理分发(例如更改配置)的权限。 It is not used to control access to the content.它不用于控制对内容的访问。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.