仅授予特定用户对 S3 存储桶的访问权限，无公共访问权限

Question

我正在尝试配置一个 S3 存储桶，以便它只能供特定用户访问，而不是公众。

我创建了一个名为 s3-injury-log 的用户和以下存储桶策略

{
    "Id": "Policy1542998309644",
    "Version": "2012-10-17",
    "Statement": [{
        "Sid": "Stmt1542998308012",
        "Action": "s3:*",
        "Effect": "Allow",
        "Resource": "arn:aws:s3:::injury-log",
        "Principal": {
            "AWS": ["arn:aws:iam::058842494618:user/s3-injury-log"]
        }
    }]
}

我的“阻止所有公共访问”选项卡如下

Block all public access - Off
Block public access to buckets and objects granted through new access control lists (ACLs) - On
Block public access to buckets and objects granted through any access control lists (ACLs) - On
Block public access to buckets and objects granted through new public bucket policies - Off
Block public and cross-account access to buckets and objects through any public bucket policies - Off

但是当试图将一个对象放入桶中时（使用 aws java libs）我收到以下错误消息

Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: CC71A7EFAFC9BBDB; S3 Extended Request ID: klrwopIIJK3PsJzEw

知道我做错了什么吗？

Answer 1

看起来您的策略不正确，它只允许存储桶级别的操作。 因此 PutObject 操作被拒绝，这是对象级别的。

只需更新您的策略以允许对象级操作：

{
    "Id": "Policy1542998309644",
    "Version": "2012-10-17",
    "Statement": [{
        "Sid": "Stmt1542998308012",
        "Action": "s3:*",
        "Effect": "Allow",
        "Resource": [
            "arn:aws:s3:::injury-log",
            "arn:aws:s3:::injury-log/*"
        ]
        "Principal": {
            "AWS": ["arn:aws:iam::058842494618:user/s3-injury-log"]
        }
    }]
}