AWS S3存儲桶策略
[英]AWS S3 Bucket policies
問題描述
我創建了一個帶有cloudformation的存儲桶:
AWSTemplateFormatVersion: "2010-09-09"
Parameters:
BucketName:
Type: String
Description: "Choose a name for the S3 Bucket"
Default: "myrandomnameforbucket"
S3Bucket:
Type: "AWS::S3::Bucket"
Properties:
AccessControl: "Private"
BucketName: !Ref BucketName
現在,我正在編寫bucketPolicy,但遇到了一些問題。 我要實現的目標:
- USER A(UserA)可以上傳到S3
- USER A(UserA)無法從S3刪除
- 所有用戶(在我的環境中,不是公共的)都可以從S3中讀取
- 所有用戶(在我的環境中為nob public)都可以從S3中刪除
我該如何實現? 目前,我拒絕從userA刪除,並允許從userA上傳。
- Effect: Deny
Principal:
AWS:
!GetAtt UserA.Arn
Action: "s3:DeleteObject"
Resource:
Fn::Join: ["", ["arn:aws:s3:::", Ref: "S3Bucket", "/*"]]
- Effect: Allow
Principal:
AWS:
!GetAtt UserA.Arn
Action: "s3:PutObject"
Resource:
Fn::Join: ["", ["arn:aws:s3:::", Ref: "S3Bucket", "/*"]]
- Effect: Allow
Principal: "?" # * is public?
Action: s3:GetObject
Resource:
Fn::Join: ["", ["arn:aws:s3:::", Ref: "S3Bucket", "/*"]]
2 個解決方案
解決方案1
1 已采納 2018-03-24 20:57:00
我了解有兩個問題:
- 排除匿名用戶時如何授予所有IAM用戶訪問權限
- 如何限制一個用戶比其他用戶更多,即:刪除您剛剛授予其他用戶的權限
最初,第一個問題聽起來很簡單,因為文檔指出 :
在基於資源的策略中,使用Principal元素來指定允許訪問資源的帳戶或用戶
因此,這意味着您可以執行以下操作:
Principal:
AWS: !Ref "AWS::AccountId"
但是,當我嘗試時,它卻沒有用。 在設置特定用戶的arn時,它對我有用。 對我來說,這似乎是一個錯誤。 或在文檔中不清楚。 我找到了另一份報告 。
無論如何,您可以做的是使用Principal: AWS: "*" ,然后使用“ Condition將其僅限於IAM用戶 。
第二個問題要容易得多:對策略進行評估,使顯式deny優先於一般allow , 請參閱文檔 。
產生的策略可以這樣寫:
S3Policy:
Type: "AWS::S3::BucketPolicy"
Properties:
Bucket: !Ref S3Bucket
PolicyDocument:
Statement:
- Effect: Deny
Action: "s3:DeleteObject"
Resource: !Join ["", ["arn:aws:s3:::", Ref: "S3Bucket", "/*"]]
Principal:
AWS: !GetAtt UserA.Arn
- Effect: Allow
Action: "s3:PutObject"
Resource: !Join ["", ["arn:aws:s3:::", Ref: "S3Bucket", "/*"]]
Principal:
AWS: !GetAtt UserA.Arn
- Effect: Allow
Action: ["s3:GetObject", "s3:DeleteObject"]
Resource: !Join ["", ["arn:aws:s3:::", Ref: "S3Bucket", "/*"]]
Principal:
AWS: "*"
Condition:
StringEquals:
"aws:PrincipalType": ["User"]
解決方案2
0 2018-03-24 14:09:55
{
"Version": "2012-10-17",
"Id": "S3PolicyId1",
"Statement": [
{
"Sid": "AllowGet",
"Effect": "Allow",
"Principal":{"AWS":"arn:aws:iam::account-number-without-hyphens:user/user1"},
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::s3_bucket_name",
"arn:aws:s3:::s3_bucket_name/*"
]
},
{
"Sid": "DenyDeleteObject",
"Effect": "Deny",
"Principal": {"AWS":"arn:aws:iam::account-number-without-hyphens:user/user1"},
"Action": "s3:Delete*",
"Resource": [
"arn:aws:s3:::s3_bucket_name",
"arn:aws:s3:::s3_bucket_name/*"
]
},
{
"Sid": "Allow anyone in your account to access bucket",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::account-number-without-hyphens:root"
},
"Action": [
"s3:Get*",
"s3:List*",
"s3:Put*",
"s3:Delete*"
],
"Resource": [
"arn:aws:s3:::s3_bucket_name",
"arn:aws:s3:::s3_bucket_name/*"
]
}
]
}
這是我快速整理好的JSON格式的模板。 我在這里的假設是,您的“所有用戶(在我的環境中,nob public)”組是帳戶中的所有人。 因此,我們在第三塊中對其進行定義。 您始終可以隨心所欲地操作主體。
如果您有任何疑問,請詢問,我們很樂意為您提供幫助。
AWS:S3 存儲桶策略和用戶策略之間有什么關系?
[英]AWS: What is the relationship between S3 bucket policies and user policies?
如何使用 aws s3api 將 acl 策略應用於 S3 存儲桶中的子文件夾
[英]How to apply acl policies using aws s3api to subfolders in S3 bucket
AWS文檔-S3存儲桶策略中的NotResource不會影響其他存儲桶
[英]AWS documentation - NotResource in S3 bucket policies does not affect other buckets
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.