![](/img/trans.png)
[英]terraform managed_policy_arns issue with aws_iam_role
[英]AWS custom IAM policy issue
有没有人帮我制定符合以下标准的自定义 IAM 政策
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1633084481455", "Action": "s3:*", "Effect": "Allow", "Resource": "arn:aws:s3:::abc-ftp" }, { "Sid": "Stmt1633085010153", "Action": [ "s3:AbortMultipartUpload", "s3:BypassGovernanceRetention", "s3:CreateAccessPoint", "s3:CreateAccessPointForObjectLambda", "s3:CreateMultiRegionAccessPoint", "s3:DeleteObject", "s3:DeleteObjectTagging", "s3:DeleteObjectVersion", "s3:DeleteObjectVersionTagging", "s3:DeleteStorageLensConfiguration", "s3:DeleteStorageLensConfigurationTagging", "s3:DescribeJob", "s3:DescribeMultiRegionAccessPointOperation", "s3:GetAccelerateConfiguration", "s3:GetAccessPoint", "s3:GetAccessPointConfigurationForObjectLambda", "s3:GetAccessPointForObjectLambda", "s3:GetAccessPointPolicy", "s3:GetAccessPointPolicyForObjectLambda", "s3:GetAccessPointPolicyStatus", "s3:GetAccessPointPolicyStatusForObjectLambda", "s3:GetAccountPublicAccessBlock", "s3:GetAnalyticsConfiguration", "s3:GetBucketAcl", "s3:GetBucketCORS", "s3:GetBucketLocation", "s3:GetBucketLogging", "s3:GetBucketNotification", "s3:GetBucketObjectLockConfiguration", "s3:GetBucketOwnershipControls", "s3:GetBucketPolicy", "s3:GetBucketPolicyStatus", "s3:GetBucketPublicAccessBlock", "s3:GetBucketRequestPayment", "s3:GetBucketTagging", "s3:GetBucketVersioning", "s3:GetBucketWebsite", "s3:GetEncryptionConfiguration", "s3:GetIntelligentTieringConfiguration", "s3:GetInventoryConfiguration", "s3:GetJobTagging", "s3:GetLifecycleConfiguration", "s3:GetMetricsConfiguration", "s3:GetMultiRegionAccessPoint", "s3:GetMultiRegionAccessPointPolicy", "s3:GetMultiRegionAccessPointPolicyStatus", "s3:GetObject", "s3:GetObjectAcl", "s3:GetObjectRetention", "s3:GetObjectTagging", "s3:GetObjectTorrent", "s3:GetObjectVersion", "s3:GetObjectVersionAcl", "s3:GetObjectVersionForReplication", "s3:GetObjectVersionTagging", "s3:GetObjectVersionTorrent", "s3:GetReplicationConfiguration", "s3:GetStorageLensConfiguration", "s3:GetStorageLensConfigurationTagging", "s3:GetStorageLensDashboard", "s3:ListAccessPoints", "s3:ListAccessPointsForObjectLambda", "s3:ListAllMyBuckets", "s3:ListBucket", "s3:ListBucketMultipartUploads", "s3:ListBucketVersions", "s3:ListJobs", "s3:ListMultiRegionAccessPoints", "s3:ListMultipartUploadParts", "s3:ListStorageLensConfigurations", "s3:ObjectOwnerOverrideToBucketOwner", "s3:PutAccelerateConfiguration", "s3:PutAccessPointConfigurationForObjectLambda", "s3:PutAccessPointPolicy", "s3:PutAccessPointPolicyForObjectLambda", "s3:PutAccountPublicAccessBlock", "s3:PutAnalyticsConfiguration", "s3:PutBucketAcl", "s3:PutBucketCORS", "s3:PutBucketLogging", "s3:PutBucketNotification", "s3:PutBucketObjectLockConfiguration", "s3:PutBucketOwnershipControls", "s3:PutBucketPolicy", "s3:PutBucketPublicAccessBlock", "s3:PutBucketRequestPayment", "s3:PutBucketTagging", "s3:PutBucketVersioning", "s3:PutBucketWebsite", "s3:PutEncryptionConfiguration", "s3:PutIntelligentTieringConfiguration", "s3:PutInventoryConfiguration", "s3:PutJobTagging", "s3:PutLifecycleConfiguration", "s3:PutMetricsConfiguration", "s3:PutMultiRegionAccessPointPolicy", "s3:PutObject", "s3:PutObjectAcl", "s3:PutObjectLegalHold", "s3:PutObjectRetention", "s3:PutObjectTagging", "s3:PutObjectVersionAcl", "s3:PutObjectVersionTagging", "s3:PutReplicationConfiguration", "s3:PutStorageLensConfiguration", "s3:PutStorageLensConfigurationTagging", "s3:ReplicateDelete", "s3:ReplicateObject", "s3:ReplicateTags", "s3:RestoreObject", "s3:UpdateJobPriority", "s3:UpdateJobStatus" ], "Effect": "Allow", "Resource": "arn:aws:s3:::abc-ftp/*" } ] }
要授予特定用户访问 Amazon S3 存储桶的权限,您应该向 IAM User 添加策略。
以下是来自用户策略示例 - Amazon Simple Storage Service的示例 IAM 策略:
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action": "s3:ListAllMyBuckets",
"Resource":"*"
},
{
"Effect":"Allow",
"Action":["s3:ListBucket","s3:GetBucketLocation"],
"Resource":"arn:aws:s3:::awsexamplebucket1"
},
{
"Effect":"Allow",
"Action":[
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:DeleteObject"
],
"Resource":"arn:aws:s3:::awsexamplebucket1/*"
}
]
}
上述策略允许用户列出所有存储桶的名称,并上传/下载到awsexamplebucket1
存储桶。
任何人都可以通过 HTTP 访问 CloudFront 分配。访问不受IAM 限制。
如果您有私人内容,您可以使用签名 URL 和签名 cookies - Amazon CloudFront 提供私人内容。
IAM 仅用于授予用户管理分发(例如更改配置)的权限。 它不用于控制对内容的访问。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.