【发布时间】:2022-01-08 04:45:59
【问题描述】:
我看过其他类似的问题,但我不知道该怎么做。
我有一个 S3 存储桶,所有公共访问都被阻止,并且该存储桶已打开服务器端加密。
我想创建一个用户组,其权限允许特定用户查看列出的存储桶(但不能查看其他用户)并上传,但不能下载、删除或该存储桶中的任何其他内容。
我有一个具有如下权限的用户组:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:CreateAccessPoint",
"s3:PutAnalyticsConfiguration",
"s3:PutAccelerateConfiguration",
"s3:PutAccessPointConfigurationForObjectLambda",
"s3:DeleteObjectVersion",
"s3:RestoreObject",
"s3:DeleteAccessPoint",
"s3:CreateBucket",
"s3:ListBucket",
"s3:DeleteAccessPointForObjectLambda",
"s3:ReplicateObject",
"s3:PutEncryptionConfiguration",
"s3:DeleteBucketWebsite",
"s3:AbortMultipartUpload",
"s3:PutLifecycleConfiguration",
"s3:UpdateJobPriority",
"s3:CreateMultiRegionAccessPoint",
"s3:PutBucketVersioning",
"s3:PutObjectAcl",
"s3:PutIntelligentTieringConfiguration",
"s3:PutMetricsConfiguration",
"s3:PutBucketOwnershipControls",
"s3:PutReplicationConfiguration",
"s3:DeleteMultiRegionAccessPoint",
"s3:PutObjectLegalHold",
"s3:UpdateJobStatus",
"s3:PutBucketCORS",
"s3:PutInventoryConfiguration",
"s3:PutObject",
"s3:PutBucketNotification",
"s3:DeleteStorageLensConfiguration",
"s3:PutBucketWebsite",
"s3:PutBucketRequestPayment",
"s3:PutObjectRetention",
"s3:PutBucketLogging",
"s3:CreateAccessPointForObjectLambda",
"s3:PutBucketObjectLockConfiguration",
"s3:ReplicateDelete"
],
"Resource": "arn:aws:s3:::my-bucket"
}
]
}
我使用可视化编辑器创建了它,这对我来说似乎有点过头了,但是,即使我已将用户分配到该用户组,我仍然无法将文件上传到该存储桶或查看登录后列出的存储桶那个用户。
我做错了什么?
///编辑///
这是我标记为正确的答案专门针对的版本:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketPolicyStatus",
"s3:PutObject",
"s3:GetObjectAcl",
"s3:GetObject",
"s3:ListBucket",
"s3:DeleteObject",
"s3:GetBucketAcl",
"s3:GetBucketLocation",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
]
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"s3:GetAccountPublicAccessBlock",
"s3:ListAccessPoints"
],
"Resource": "arn:aws:s3:::*"
}
]
}
【问题讨论】:
-
您希望“允许特定用户查看列出的存储桶(但不能查看其他用户)”——但是,
ListBuckets命令将列出每个 存储桶。您可能可以跳过授予他们此权限,因为他们应该知道分配给他们的存储桶的名称。
标签: amazon-web-services amazon-s3 amazon-iam