[英]Amazon S3 Bucket: Deny List, Read, Write to specific folder
我試圖限制拒絕特定用戶列表,讀取和寫入對存儲桶中特定文件夾的訪問權限。 我可以允許用戶查看其他文件夾,但是在向帳戶添加拒絕策略(通過組添加)時,我收到訪問被拒絕的消息。
這就是我要拒絕訪問的內容:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Deny",
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::myBucket",
"Condition": {
"StringLike": {
"s3:prefix": "Admin/*"
}
}
}
]
}
從理論上講,我想限制某個用戶無法執行有關Admin文件夾的上述操作,但是他們仍然需要能夠查看其他文件夾的存儲桶。
我也嘗試過:
{
"Id": "Policy",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1516743098844",
"Action": [
"s3:GetBucketLocation",
"s3:PutObject",
"s3:GetObject"
],
"Effect": "Deny",
"Resource": "arn:aws:s3:::mybucket/Admin/*",
"Principal": {
"AWS": [
"arn:aws:iam::11111111:user/Jenny"
]
}
}
]
}
以上兩個JSON語句都是使用S3存儲桶策略和IAM策略的策略生成器創建的。
關於如何拒絕列表訪問文件夾但允許查看存儲桶的任何線索?
您的第一句話對我來說很好!
$ aws s3 ls s3://my-bucket/
PRE Admin/
PRE other/
2018-01-23 16:33:07 15091 cat.jpg
$ aws s3 ls s3://my-bucket/other/
2018-01-23 16:34:02 91 foo
$ aws s3 ls s3://my-bucket/Admin/
An error occurred (AccessDenied) when calling the ListObjects operation: Access Denied
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.