stackoom
  简体   繁体   中英

AWS S3 IAM policy to limit to single sub folder

 原文  2020-11-13 15:31:27       amazon-web-services/ amazon-s3/ permissions/ amazon-iam

Question

Scenario: I have a simple S3 bucket that multiple users will be uploading files to. Each user should be uploading to a specific folder and only that folder - no sub folders beyond that . Inside that folder, they can upload anything they want. I have an IAM policy that currently limits to that users folder, but allows them to specify sub folders, which I do not want.

Current IAM Policy JSON which limits to a top level folder:

{
    "Version": "2012-10-17",
    "Statement": [{
        "Sid": "VisualEditor2",
        "Effect": "Allow",
        "Action": [
            "s3:PutObject",
            "s3:GetObjectTagging"
        ],
        "Resource": "arn:aws:s3:::[MY_BUCKET]/[MY_FOLDER]/*"
    }]
}

Proposed IAM Policy JSON which I expected to further limit PutObject only on the folder specified, but this doesn't seem to allow uploading of any object?:

{
    "Version": "2012-10-17",
    "Statement": [{
        "Sid": "VisualEditor2",
        "Effect": "Allow",
        "Action": [
            "s3:PutObject",
            "s3:GetObjectTagging"
        ],
        "Resource": "arn:aws:s3:::[MY_BUCKET]/[MY_FOLDER]/*",
        "Condition": {
            "StringEquals": {
                "s3:prefix": [
                    "",
                    "[MY_FOLDER]/"
                ],
                "s3:delimiter": [
                    "/"
                ]
            }
        }
    }]
}

Expected Results

  • ALLOW arn:aws:s3:::[MY_BUCKET]/[MY_FOLDER]/[MY_FILE].csv
  • ALLOW arn:aws:s3:::[MY_BUCKET]/[MY_FOLDER]/[MY_FILE].parquet
  • ALLOW arn:aws:s3:::[MY_BUCKET]/[MY_FOLDER]/[MY_FILE].txt
  • DENY arn:aws:s3:::[MY_BUCKET]/[MY_FOLDER]/[MY_FOLDER1]/[MY FOLDER2]/[MY_FILE].txt
  • DENY arn:aws:s3:::[MY_BUCKET]/[MY_FOLDER]/[MY_FOLDER1]/[MY_FILE].txt
  • DENY arn:aws:s3:::[MY_BUCKET]/[MY_FOLDER]/[...N Folders]/[MY_FILE].txt

1 answers

solution1
 0  2020-11-13 19:13:46

There are no 'folders' in Amazon S3 as there are in a file system. What you see as folders, actually are just prefixes to the filename. The way, Amazon S3 works, you can restrict access to specific prefixes, but can't restrict the creation of additional prefixes underneath.

However, you can implement your requirement by utilizing Amazon S3 Events and a Lambda function. The process could look like this:

1. User stores file in Amazon S3

2. Amazon S3 fires an event notification , containing metadata, including object key (which represents the filename ) including prefixes (which represent the folders ).

3. Lambda function triggered by the S3 Event and processes the metadata by:

  • checking the filename for subsequent slashes ( / ) after the allowed prefix (which indicates a 'subfolder')
  • deleting the created file if it contains subsequent slashes

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question AWS IAM S3 download policy AWS S3 policy restrict folder delete AWS IAM s3:prefix AWS S3 bucket policy to deny everything to everyone except for one IAM user? AWS S3: IAM Policy with Deny IP Block Denies All IPs Allow IAM user to access specific folder in AWS S3 Bucket to view and upload objects S3 bucket policy to set a folder readable by a referring URL, and another folder only available to AWS user IAM Policy to determine S3 Bucket access based on user tags AWS S3 bucket policy with condition Strange Behavior with AWS S3 Lifecycle Policy
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM