如何爲s3存儲桶設置策略，以允許通過身份驗證的用戶列出存儲桶或從存儲桶中獲取任何文件

Question

我已經在存儲桶上設置了權限，允許「Authenticated Users」列出，上傳和從我創建的存儲桶中刪除。這似乎允許我將文件上傳到存儲區，但似乎從該存儲區下載文件不受此權限的限制，我需要爲該存儲區定義一個政策。我不清楚如何制定這樣的政策。我嘗試了策略生成器，用我最好的猜測來填寫內容，但是當我把它作爲新策略粘貼到存儲桶時（失敗，消息爲Action does not apply to any resource(s) in statement - Action "s3:ListBucket" in Statement "Stmt-some-number"），結果不是一個有效的策略。有人可以解釋以下策略有什麼問題，以及如何正確設置它以允許經過身份驗證的用戶從存儲桶中檢索文件？

{ 
    "Id": "Policy-some-number", 
    "Statement": [ 
    { 
     "Sid": "Stmt-some-number", 
     "Action": [ 
     "s3:GetObject", 
     "s3:ListBucket" 
     ], 
     "Effect": "Allow", 
     "Resource": "arn:aws:s3:::my-bucket/*", 
     "Principal": { 
     "AWS": [ 
      "*" 
     ] 
     } 
    } 
    ] 
} 

Answer 1

s3:GetObject適用於在桶中的對象，因此資源是正確的："Resource": "arn:aws:s3:::my-bucket/*"。

s3:ListBucket適用於桶本身等資源應該是"Resource": "arn:aws:s3:::my-bucket"

你產生的政策應該類似於：

{ 
    "Id": "Policy-some-number", 
    "Statement": [ 
    { 
     "Sid": "Stmt-some-number", 
     "Action": [ 
     "s3:GetObject" 
     ], 
     "Effect": "Allow", 
     "Resource": "arn:aws:s3:::my-bucket/*", 
     "Principal": { 
     "AWS": [ 
      "*" 
     ] 
     } 
    }, 
    { 
     "Sid": "Stmt-some-other-number", 
     "Action": [ 
     "s3:ListBucket" 
     ], 
     "Effect": "Allow", 
     "Resource": "arn:aws:s3:::my-bucket", 
     "Principal": { 
     "AWS": [ 
      "*" 
     ] 
     } 
    } 
    ] 
} 

Answer 2

只是恭維@ c4urself答案。該答案也有助於解決我的問題，但AWS文檔中提供了一些指示，您可以添加多個資源，只需使用[]將它們設置爲列表即可。 http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-endpoints.html#vpc-endpoints-s3-bucket-policies

{ 
    "Statement": [ 
    { 
     "Sid": "Access-to-specific-bucket-only", 
     "Principal": "*", 
     "Action": [ 
     "s3:ListBucket", 
     "s3:GetObject", 
     "s3:PutObject" 
     ], 
     "Effect": "Allow", 
     "Resource": ["arn:aws:s3:::my_secure_bucket", 
        "arn:aws:s3:::my_secure_bucket/*"] 
    } 
    ] 
}