如何合並 AWS S3 存儲桶策略?
[英]How to merge AWS S3 bucket policies?
問題描述
我們在生產中有一個現有的 S3 存儲桶策略:
{
"Version": "2012-10-17",
"Id": "Policy[redacted]",
"Statement": [
{
"Sid": "ServiceA access",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[redacted]:root"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::mysite-production/*"
},
{
"Sid": "ServiceA access",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[redacted]:root"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::mysite-production"
},
{
"Sid": "AllowPublicRead",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::mysite-production/*"
}
]
}
我們要授予訪問權限的另一個 3rd 方服務需要:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::YOUR_BUCKET_NAME/*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::*"
}
]
}
我嘗試將ListAllMyBuckets和GetBucketLocation合並到我們原始策略的最后一部分,但會產生“策略無效操作”錯誤:
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::mysite-production/*"
}
我怎樣才能將這些合並成一個有凝聚力的政策? 或者一個桶是否有可能有兩個策略?
提前致謝!
1 個解決方案
解決方案1
1 已采納 2019-11-20 04:31:38
您實際上可以同時應用 IAM 策略和 S3 存儲桶策略,最終授權是所有權限的最低權限聯合。
AWS:S3 存儲桶策略和用戶策略之間有什么關系?
[英]AWS: What is the relationship between S3 bucket policies and user policies?
如何使用 aws s3api 將 acl 策略應用於 S3 存儲桶中的子文件夾
[英]How to apply acl policies using aws s3api to subfolders in S3 bucket
AWS S3 CLI-如何在存儲桶中設置了所有當前策略的情況下獲取JSON?
[英]AWS S3 CLI - how to get JSON with all current policies set on a bucket?
AWS IAM策略:如何更改AWSLambdaFullAccess策略以僅允許訪問一個S3存儲桶?
[英]AWS IAM Policies: How do I alter the AWSLambdaFullAccess policy to only allow access to one S3 bucket?
如何使用 AWS Glue 從 S3 存儲桶合並 CSV 文件並將其保存回 S3
[英]How to merge CSV file from S3 bucket and save it back into S3 using AWS Glue
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.