stackoom
  简体   繁体   中英

AWS: Restricting IAM User to Specific Folder in S3 Bucket

 原文  2014-08-29 00:30:18       amazon-web-services/ amazon-s3/ amazon-iam

Question

So I've been trying to define a policy to restrict a group of IAM users to a particular folder in an S3 bucket with no success. I've riffed off the policy outlined in this blog post. http://blogs.aws.amazon.com/security/post/Tx1P2T3LFXXCNB5/Writing-IAM-policies-Grant-access-to-user-specific-folders-in-an-Amazon-S3-bucke

Specifically I'm using the following: 

{
 "Version":"2012-10-17",
 "Statement": [
   {
     "Sid": "AllowUserToSeeBucketListInTheConsole",
     "Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation"],
     "Effect": "Allow",
     "Resource": ["arn:aws:s3:::*"]
   },
  {
     "Sid": "AllowRootAndHomeListingOfCompanyBucket",
     "Action": ["s3:ListBucket"],
     "Effect": "Allow",
     "Resource": ["arn:aws:s3:::mybucket"],
     "Condition":{"StringEquals":{"s3:delimiter":["/"]}}
    },
   {
     "Sid": "AllowListingOfUserFolder",
     "Action": ["s3:ListBucket"],
     "Effect": "Allow",
     "Resource": ["arn:aws:s3:::mybucket"],
     "Condition":{"StringLike":{"s3:prefix":["myfolder"]}}
   },
   {
     "Sid": "AllowAllS3ActionsInUserFolder",
     "Effect": "Allow",
     "Action": ["s3:*"],
     "Resource": ["arn:aws:s3:::mybucket/myfolder/*"]
   }
 ]
}

Unfortunately this policy for some reason allows users to navigate not only into the specified folder but other folders present in the same bucket. How do I restrict users in such a way that they can only navigate into the specified folder?

2 answers

solution1
 0  2017-09-10 15:22:20

I hope this documentation will help you out, the steps are broken down and quite simple to follow:

http://docs.aws.amazon.com/AmazonS3/latest/dev/walkthrough1.html

You can also use policy variables as well.

It lets you specify placeholders in a policy. When the policy is evaluated, the policy variables are replaced with values that come from the request itself. For example - ${aws:username}:


Further more you can also check out this Stackoverflow question (if seem relevant):

Preventing a user from even knowing about other users (folders) on AWS S3

solution2
 -3  2014-08-29 05:00:22

I've answered this before, but I'll answer again from here. It's best to create a user then add them to a group then assign the group r/w to the bucket. This is a typical example of how write the policy 

{
  "Statement": [
    {
      "Sid": "sidgoeshere",
      "Action": [
        "s3:DeleteObject",
        "s3:GetObject",
        "s3:GetObjectAcl",
        "s3:ListBucket",
        "s3:PutObject"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::s3bucket",
        "arn:aws:s3:::s3bucket/*"
      ]
    }
  ]
}

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Giving an IAM user, permission to a specific folder of a bucket in AWS S3 How to give external AWS IAM user access to specific S3 Bucket folder AWS:Allowing Access to an IAM application user to a specific S3 bucket AWS IAM Policy to allow user access to specific S3 bucket for backup AWS S3 - How to restrict an IAM user to just a single bucket? AWS S3 IAM user can't access bucket IAM Policy to list specific folders inside a S3 bucket for an user Create a single IAM user to access only specific S3 bucket S3 bucket - limit number of downloads for a specific IAM user Restricting access to an S3 bucket by AWS region?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM