如何限制在S3桶

Question

訪問到一個文件夾我想限制在S3 bukcet訪問到一個文件夾。

我已經寫了一個same.But IAM角色不知何故，我無法上傳/同步的文件到這個folder.here桶桶名稱和文件夾是我想給訪問該文件夾。

{ 
    "Version": "2012-10-17", 
    "Statement": [ 
     { 
      "Sid": "AllowUserToSeeBucketListInTheConsole", 
      "Action": [ 
       "s3:ListAllMyBuckets", 
       "s3:GetBucketLocation" 
      ], 
      "Effect": "Allow", 
      "Resource": [ 
       "arn:aws:s3:::*" 
      ] 
     }, 
     { 
      "Sid": "AllowRootAndHomeListingOfBucket", 
      "Action": [ 
       "s3:ListBucket" 
      ], 
      "Effect": "Allow", 
      "Resource": [ 
       "arn:aws:s3:::bucket" 
      ], 
      "Condition": { 
       "StringEquals": { 
        "s3:prefix": [ 
         "" 
        ], 
        "s3:delimiter": [ 
         "/" 
        ] 
       } 
      } 
     }, 
     { 
      "Sid": "AllowListingOfUserFolder", 
      "Action": [ 
       "s3:ListBucket", 
       "s3:PutObject", 
       "s3:PutObjectAcl", 
       "s3:GetObject", 
       "s3:GetObjectAcl", 
       "s3:HeadObject" 
      ], 
      "Effect": "Allow", 
      "Resource": [ 
       "arn:aws:s3:::bucket" 
      ], 
      "Condition": { 
       "StringLike": { 
        "s3:prefix": [ 
         "folder/*" 
        ] 
       } 
      } 
     } 
    ] 
} 

請指出我錯在哪裏。

Answer 1

我相信你描述AWS方案建議桶政策。 AWS IAM應該用於保護AWS資源（如S3本身）的安全，而Bucket策略可用於保護S3存儲桶和文檔。

退房關於這個問題該AWS的博客文章：

https://aws.amazon.com/blogs/security/iam-policies-and-bucket-policies-and-acls-oh-my-controlling-access-to-s3-resources/

Answer 2

既然你已要求建議，你不對的地方： 1>在AllowListingOfUserFolder，您使用的對象資源，但你已經使用了桶級別的操作，「s3：prefix」不能用於對象級別的API。

請參考這裏列出的樣品政策： http://docs.aws.amazon.com/AmazonS3/latest/dev/example-policies-s3.html#iam-policy-ex1 https://aws.amazon.com/blogs/security/writing-iam-policies-grant-access-to-user-specific-folders-in-an-amazon-s3-bucket/

希望這有助於。