问题描述
我正在尝试在S3的对象级别限制用户访问。
s3存储桶中有2个文件夹。我试图只允许访问对象中的一个文件夹。
两个文件夹是:
- 经纪人
- 运营商
这是IAM角色政策:
{
"Version": "2012-10-17","Statement": [
{
"Effect": "Allow","Action": "s3:ListAllMyBuckets","Resource": "arn:aws:s3:::*"
},{
"Effect": "Allow","Action": [
"s3:ListBucket","s3:GetBucketLocation"
],"Resource": "arn:aws:s3:::lodeobucket"
},"Action": [
"s3:PutObject","s3:GetObject","s3:GetObjectVersion","s3:DeleteObject","s3:DeleteObjectVersion"
],"Resource": "arn:aws:s3:::lodeobucket/broker/*"
}
]
}
但是用户也可以访问运营商文件夹。
有人可以建议我想念什么吗?
解决方法
如果添加以下条件:
"Condition":{"StringLike":{"s3:prefix":["","broker/*"]}}
您将无法输入运营商文件夹。它仍将在控制台中可见。我认为您无法“隐藏”其他文件夹,因为这会破坏控制台访问权限。
您可以尝试以下政策:
{
"Version": "2012-10-17","Statement": [
{
"Effect": "Allow","Action": "s3:ListAllMyBuckets","Resource": "arn:aws:s3:::*"
},{
"Effect": "Allow","Action": [
"s3:ListBucket","s3:GetBucketLocation"
],"Resource": "arn:aws:s3:::lodeobucket","Condition":{"StringLike":{"s3:prefix":["","broker/*"]}}
},"Action": [
"s3:PutObject","s3:GetObject","s3:GetObjectVersion","s3:DeleteObject","s3:DeleteObjectVersion"
],"Resource": "arn:aws:s3:::lodeobucket/broker/*"
}
]
}