stackoom
  简体   繁体   中英

AWS IAM Policy to allow user access to specific S3 bucket for backup

 原文  2016-06-17 11:12:50       amazon-web-services/ amazon-s3/ backup/ amazon-iam

Question

I have a NAS which supports backup of files to AWS S3. I have created a user under IAM in the AWS console and I have tried to generate a policy which only allows this user access to a specific S3 bucket with read/write permissions. The following is the policy I have generated:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1465916250000",
      "Effect": "Allow",
      "Action": [
          "s3:PutObject",
          "s3:PutObjectAcl"
        ],
        "Resource": [
         "arn:aws:s3:::atlas-nas-backups"
        ]
      }
   ]
}

However when I run this through the policy simulator against all actions for S3, each one fails. What am I missed that this user can't write objects to the bucket? I don't want this user to have access to any other AWS resources other than the ability to backup files to a specific bucket.

2 answers

solution1
 2  2016-06-17 21:19:44

There is quirk with bucket permissions, where you need to specify the bucket itself and its keys separately, using the /* wildcard specification. Additionally, even for a write operation, a List action may be required.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1465916250000",
      "Effect": "Allow",
      "Action": [
          "s3:PutObject",
          "s3:PutObjectAcl",
          "s3:ListBucket",
          "s3:GetBucketLocation"
        ],
        "Resource": [
         "arn:aws:s3:::atlas-nas-backups",
         "arn:aws:s3:::atlas-nas-backups/*"
        ]
      }
   ]
}

I also added the "s3:GetBucketLocation" and "s3:ListBucket" actions. As previously noted, even if you are only writing objects, the service may want to list the item and get the location (region) of the bucket. You may not need these last two, but just wanted to show you them just in case.

solution2
 0  2021-03-12 10:15:19

A minimal policy for backup only requires PutObject and ListBucket .

Why ListBucket? If you only add PutObject aws will complain that it's missing the ListObjects permission.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::atlas-nas-backups/*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::atlas-nas-backups"
        }
    ]
}

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Allow IAM user to access specific folder in AWS S3 Bucket to view and upload objects AWS:Allowing Access to an IAM application user to a specific S3 bucket Setting IAM Policy on AWS S3 Bucket (allow change ACL) AWS: s3 bucket policy does not give IAM user access to upload to bucket, throws 403 error AWS IAM Policies: How do I alter the AWSLambdaFullAccess policy to only allow access to one S3 bucket? IAM Role policy for cross account access to S3 bucket in a specific AWS account How to grant access only to the Root Account User for an S3 bucket with IAM Policy AWS? IAM Policy to list specific folders inside a S3 bucket for an user S3 Bucket Policy to allow S3 Access to Current Authenicated user in AWS Console? IAM Policy to determine S3 Bucket access based on user tags
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM