AWS 自定义 IAM 策略问题

Question

Is anyone help me with custom IAM policy with bellow criteria有没有人帮我制定符合以下标准的自定义 IAM 政策

Read/Write access to 'cloudfront.abc.com'对“cloudfront.abc.com”的读/写访问权限
Full permission to 'abc_ftp' only s3 bucket but should not able to delete the bucket itself.仅对“abc_ftp”拥有 s3 存储桶的完全权限，但不应删除存储桶本身。 (abc-ftp is the name of the AWS S3 bucket, Where full permission with the criteria of should not able to delete bucket itself). （abc-ftp 是 AWS S3 存储桶的名称，其中具有标准的完全权限不应能够删除存储桶本身）。 I tried this我试过这个

 { "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1633084481455", "Action": "s3:*", "Effect": "Allow", "Resource": "arn:aws:s3:::abc-ftp" }, { "Sid": "Stmt1633085010153", "Action": [ "s3:AbortMultipartUpload", "s3:BypassGovernanceRetention", "s3:CreateAccessPoint", "s3:CreateAccessPointForObjectLambda", "s3:CreateMultiRegionAccessPoint", "s3:DeleteObject", "s3:DeleteObjectTagging", "s3:DeleteObjectVersion", "s3:DeleteObjectVersionTagging", "s3:DeleteStorageLensConfiguration", "s3:DeleteStorageLensConfigurationTagging", "s3:DescribeJob", "s3:DescribeMultiRegionAccessPointOperation", "s3:GetAccelerateConfiguration", "s3:GetAccessPoint", "s3:GetAccessPointConfigurationForObjectLambda", "s3:GetAccessPointForObjectLambda", "s3:GetAccessPointPolicy", "s3:GetAccessPointPolicyForObjectLambda", "s3:GetAccessPointPolicyStatus", "s3:GetAccessPointPolicyStatusForObjectLambda", "s3:GetAccountPublicAccessBlock", "s3:GetAnalyticsConfiguration", "s3:GetBucketAcl", "s3:GetBucketCORS", "s3:GetBucketLocation", "s3:GetBucketLogging", "s3:GetBucketNotification", "s3:GetBucketObjectLockConfiguration", "s3:GetBucketOwnershipControls", "s3:GetBucketPolicy", "s3:GetBucketPolicyStatus", "s3:GetBucketPublicAccessBlock", "s3:GetBucketRequestPayment", "s3:GetBucketTagging", "s3:GetBucketVersioning", "s3:GetBucketWebsite", "s3:GetEncryptionConfiguration", "s3:GetIntelligentTieringConfiguration", "s3:GetInventoryConfiguration", "s3:GetJobTagging", "s3:GetLifecycleConfiguration", "s3:GetMetricsConfiguration", "s3:GetMultiRegionAccessPoint", "s3:GetMultiRegionAccessPointPolicy", "s3:GetMultiRegionAccessPointPolicyStatus", "s3:GetObject", "s3:GetObjectAcl", "s3:GetObjectRetention", "s3:GetObjectTagging", "s3:GetObjectTorrent", "s3:GetObjectVersion", "s3:GetObjectVersionAcl", "s3:GetObjectVersionForReplication", "s3:GetObjectVersionTagging", "s3:GetObjectVersionTorrent", "s3:GetReplicationConfiguration", "s3:GetStorageLensConfiguration", "s3:GetStorageLensConfigurationTagging", "s3:GetStorageLensDashboard", "s3:ListAccessPoints", "s3:ListAccessPointsForObjectLambda", "s3:ListAllMyBuckets", "s3:ListBucket", "s3:ListBucketMultipartUploads", "s3:ListBucketVersions", "s3:ListJobs", "s3:ListMultiRegionAccessPoints", "s3:ListMultipartUploadParts", "s3:ListStorageLensConfigurations", "s3:ObjectOwnerOverrideToBucketOwner", "s3:PutAccelerateConfiguration", "s3:PutAccessPointConfigurationForObjectLambda", "s3:PutAccessPointPolicy", "s3:PutAccessPointPolicyForObjectLambda", "s3:PutAccountPublicAccessBlock", "s3:PutAnalyticsConfiguration", "s3:PutBucketAcl", "s3:PutBucketCORS", "s3:PutBucketLogging", "s3:PutBucketNotification", "s3:PutBucketObjectLockConfiguration", "s3:PutBucketOwnershipControls", "s3:PutBucketPolicy", "s3:PutBucketPublicAccessBlock", "s3:PutBucketRequestPayment", "s3:PutBucketTagging", "s3:PutBucketVersioning", "s3:PutBucketWebsite", "s3:PutEncryptionConfiguration", "s3:PutIntelligentTieringConfiguration", "s3:PutInventoryConfiguration", "s3:PutJobTagging", "s3:PutLifecycleConfiguration", "s3:PutMetricsConfiguration", "s3:PutMultiRegionAccessPointPolicy", "s3:PutObject", "s3:PutObjectAcl", "s3:PutObjectLegalHold", "s3:PutObjectRetention", "s3:PutObjectTagging", "s3:PutObjectVersionAcl", "s3:PutObjectVersionTagging", "s3:PutReplicationConfiguration", "s3:PutStorageLensConfiguration", "s3:PutStorageLensConfigurationTagging", "s3:ReplicateDelete", "s3:ReplicateObject", "s3:ReplicateTags", "s3:RestoreObject", "s3:UpdateJobPriority", "s3:UpdateJobStatus" ], "Effect": "Allow", "Resource": "arn:aws:s3:::abc-ftp/*" } ] }

Answer 1

Access to Amazon S3 bucket访问 Amazon S3 存储桶

To grant a specific user access to an Amazon S3 bucket, you should add a policy to the IAM User .要授予特定用户访问 Amazon S3 存储桶的权限，您应该向 IAM User 添加策略。

Here is a sample IAM policy from User policy examples - Amazon Simple Storage Service :以下是来自用户策略示例 - Amazon Simple Storage Service的示例 IAM 策略：

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action": "s3:ListAllMyBuckets",
         "Resource":"*"
      },
      {
         "Effect":"Allow",
         "Action":["s3:ListBucket","s3:GetBucketLocation"],
         "Resource":"arn:aws:s3:::awsexamplebucket1"
      },
      {
         "Effect":"Allow",
         "Action":[
            "s3:PutObject",
            "s3:PutObjectAcl",
            "s3:GetObject",
            "s3:GetObjectAcl",
            "s3:DeleteObject"
         ],
         "Resource":"arn:aws:s3:::awsexamplebucket1/*"
      }
   ]
}

The above policy allows the user to list the names of all buckets, and upload/download to the awsexamplebucket1 bucket.上述策略允许用户列出所有存储桶的名称，并上传/下载到awsexamplebucket1存储桶。

Access to CloudFront访问 CloudFront

Anybody can access a CloudFront distribution via HTTP. Access is not restricted via IAM.任何人都可以通过 HTTP 访问 CloudFront 分配。访问不受IAM 限制。

If you have private content, you can Serve private content with signed URLs and signed cookies - Amazon CloudFront .如果您有私人内容，您可以使用签名 URL 和签名 cookies - Amazon CloudFront 提供私人内容。

IAM is only used to grant permission to users to manage the distribution (eg change the configuration). IAM 仅用于授予用户管理分发（例如更改配置）的权限。 It is not used to control access to the content.它不用于控制对内容的访问。

AWS 自定义 IAM 策略问题

问题描述

1 个解决方案

解决方案1
0 2021-10-01 08:06:17

Access to Amazon S3 bucket访问 Amazon S3 存储桶

Access to CloudFront访问 CloudFront

AWS 自定义 IAM 策略问题

问题描述

1 个解决方案

解决方案1 0 2021-10-01 08:06:17

Access to Amazon S3 bucket访问 Amazon S3 存储桶

Access to CloudFront访问 CloudFront

解决方案1
0 2021-10-01 08:06:17