[英]AWS S3 Bucket policies
我創建了一個帶有cloudformation的存儲桶:
AWSTemplateFormatVersion: "2010-09-09"
Parameters:
BucketName:
Type: String
Description: "Choose a name for the S3 Bucket"
Default: "myrandomnameforbucket"
S3Bucket:
Type: "AWS::S3::Bucket"
Properties:
AccessControl: "Private"
BucketName: !Ref BucketName
現在,我正在編寫bucketPolicy,但遇到了一些問題。 我要實現的目標:
我該如何實現? 目前,我拒絕從userA刪除,並允許從userA上傳。
- Effect: Deny
Principal:
AWS:
!GetAtt UserA.Arn
Action: "s3:DeleteObject"
Resource:
Fn::Join: ["", ["arn:aws:s3:::", Ref: "S3Bucket", "/*"]]
- Effect: Allow
Principal:
AWS:
!GetAtt UserA.Arn
Action: "s3:PutObject"
Resource:
Fn::Join: ["", ["arn:aws:s3:::", Ref: "S3Bucket", "/*"]]
- Effect: Allow
Principal: "?" # * is public?
Action: s3:GetObject
Resource:
Fn::Join: ["", ["arn:aws:s3:::", Ref: "S3Bucket", "/*"]]
我了解有兩個問題:
最初,第一個問題聽起來很簡單,因為文檔指出 :
在基於資源的策略中,使用Principal元素來指定允許訪問資源的帳戶或用戶
因此,這意味着您可以執行以下操作:
Principal:
AWS: !Ref "AWS::AccountId"
但是,當我嘗試時,它卻沒有用。 在設置特定用戶的arn時,它對我有用。 對我來說,這似乎是一個錯誤。 或在文檔中不清楚。 我找到了另一份報告 。
無論如何,您可以做的是使用Principal: AWS: "*"
,然后使用“ Condition
將其僅限於IAM用戶 。
第二個問題要容易得多:對策略進行評估,使顯式deny
優先於一般allow
, 請參閱文檔 。
產生的策略可以這樣寫:
S3Policy:
Type: "AWS::S3::BucketPolicy"
Properties:
Bucket: !Ref S3Bucket
PolicyDocument:
Statement:
- Effect: Deny
Action: "s3:DeleteObject"
Resource: !Join ["", ["arn:aws:s3:::", Ref: "S3Bucket", "/*"]]
Principal:
AWS: !GetAtt UserA.Arn
- Effect: Allow
Action: "s3:PutObject"
Resource: !Join ["", ["arn:aws:s3:::", Ref: "S3Bucket", "/*"]]
Principal:
AWS: !GetAtt UserA.Arn
- Effect: Allow
Action: ["s3:GetObject", "s3:DeleteObject"]
Resource: !Join ["", ["arn:aws:s3:::", Ref: "S3Bucket", "/*"]]
Principal:
AWS: "*"
Condition:
StringEquals:
"aws:PrincipalType": ["User"]
{
"Version": "2012-10-17",
"Id": "S3PolicyId1",
"Statement": [
{
"Sid": "AllowGet",
"Effect": "Allow",
"Principal":{"AWS":"arn:aws:iam::account-number-without-hyphens:user/user1"},
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::s3_bucket_name",
"arn:aws:s3:::s3_bucket_name/*"
]
},
{
"Sid": "DenyDeleteObject",
"Effect": "Deny",
"Principal": {"AWS":"arn:aws:iam::account-number-without-hyphens:user/user1"},
"Action": "s3:Delete*",
"Resource": [
"arn:aws:s3:::s3_bucket_name",
"arn:aws:s3:::s3_bucket_name/*"
]
},
{
"Sid": "Allow anyone in your account to access bucket",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::account-number-without-hyphens:root"
},
"Action": [
"s3:Get*",
"s3:List*",
"s3:Put*",
"s3:Delete*"
],
"Resource": [
"arn:aws:s3:::s3_bucket_name",
"arn:aws:s3:::s3_bucket_name/*"
]
}
]
}
這是我快速整理好的JSON格式的模板。 我在這里的假設是,您的“所有用戶(在我的環境中,nob public)”組是帳戶中的所有人。 因此,我們在第三塊中對其進行定義。 您始終可以隨心所欲地操作主體。
如果您有任何疑問,請詢問,我們很樂意為您提供幫助。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.