如何为多个 IAM 用户设置 S3 策略,以便每个人只能访问他们的个人存储桶文件夹?
How to set up S3 Policies for multiple IAM users such that each individual only has access to their personal bucket folder?
我有两个用户 User1 和 User2,每个用户在 AWS 中都有一个 IAM 账户。我有一个 s3 存储桶 "external_bucket.frommycompany.com"。在该存储桶中,每个用户帐户 "User1" 和 "User2" 都有一个文件夹。我只想授予 R/W User1 对 User1 文件夹的访问权限,R/W 仅授予 User2 对 User2 文件夹的访问权限。我不希望他们能够在 external_bucket.frommycompany.com 的根目录中看到彼此的文件夹。有没有办法设置他们的 IAM 策略以使其成为可能?
我的目标是让我们的用户能够从像 cloudberry 这样的 S3 浏览器应用程序连接到 S3 存储桶,这样他们就可以只将文件上传和下载到他们的文件夹中。
欢迎就最佳设计提出任何建议。
来自here
这样的事情应该可以让 User1 只访问 User1 的文件夹:
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowUserToSeeBucketListInTheConsole",
"Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::*"]
},
{
"Sid": "AllowRootAndHomeListingOfCompanyBucket",
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::my-company"],
"Condition":{"StringEquals":{"s3:prefix":["","/"],"s3:delimiter":["/"]}}
},
{
"Sid": "AllowListingOfUserFolder",
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::my-company"],
"Condition":{"StringLike":{"s3:prefix":["user1/*"]}}
},
{
"Sid": "AllowAllS3ActionsInUserFolder",
"Effect": "Allow",
"Action": ["s3:*"],
"Resource": ["arn:aws:s3:::user1/*"]
}
]
}
将其应用为 User1 的策略,他们应该只能访问 user1/ 文件夹。 "s3:prefix":["","/"]... 部分可能可以更改,但我对政策语言不够熟悉,不知道如何更改。
如果您在 User2 的策略中用 user2 替换 user1,User2 应该只能访问 user2/ 文件夹,依此类推。
这是您问题的official answer。
Example: Allow each IAM user access to a folder in a bucket
In this example, you want two IAM users, Alice and Bob, to have access
to your bucket, examplebucket, so they can add, update, and delete
objects. However, you want to restrict each user’s access to a single
folder in the bucket. You might create folders with names that match
the user names.
如果您今天不这样做,那么使用 policy variables 确实可以改变游戏规则。
请参阅 S3 policy examples 中的示例:
Instead of attaching policies to individual users, though, you can
write a single policy that uses a policy variable and attach the
policy to a group. You will first need to create a group and add both
Alice and Bob to the group. The following example policy allows a set
of Amazon S3 permissions in the examplebucket/${aws:username} folder.
When the policy is evaluated, the policy variable ${aws:username} is
replaced by the requester's user name. For example, if Alice sends a
request to put an object, the operation is allowed only if Alice is
uploading the object to the examplebucket/Alice folder.
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:DeleteObject",
"s3:DeleteObjectVersion"
],
"Resource":"arn:aws:s3:::examplebucket/${aws:username}/*"
}
]
}
我有两个用户 User1 和 User2,每个用户在 AWS 中都有一个 IAM 账户。我有一个 s3 存储桶 "external_bucket.frommycompany.com"。在该存储桶中,每个用户帐户 "User1" 和 "User2" 都有一个文件夹。我只想授予 R/W User1 对 User1 文件夹的访问权限,R/W 仅授予 User2 对 User2 文件夹的访问权限。我不希望他们能够在 external_bucket.frommycompany.com 的根目录中看到彼此的文件夹。有没有办法设置他们的 IAM 策略以使其成为可能?
我的目标是让我们的用户能够从像 cloudberry 这样的 S3 浏览器应用程序连接到 S3 存储桶,这样他们就可以只将文件上传和下载到他们的文件夹中。
欢迎就最佳设计提出任何建议。
来自here
这样的事情应该可以让 User1 只访问 User1 的文件夹:
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowUserToSeeBucketListInTheConsole",
"Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::*"]
},
{
"Sid": "AllowRootAndHomeListingOfCompanyBucket",
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::my-company"],
"Condition":{"StringEquals":{"s3:prefix":["","/"],"s3:delimiter":["/"]}}
},
{
"Sid": "AllowListingOfUserFolder",
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::my-company"],
"Condition":{"StringLike":{"s3:prefix":["user1/*"]}}
},
{
"Sid": "AllowAllS3ActionsInUserFolder",
"Effect": "Allow",
"Action": ["s3:*"],
"Resource": ["arn:aws:s3:::user1/*"]
}
]
}
将其应用为 User1 的策略,他们应该只能访问 user1/ 文件夹。 "s3:prefix":["","/"]... 部分可能可以更改,但我对政策语言不够熟悉,不知道如何更改。
如果您在 User2 的策略中用 user2 替换 user1,User2 应该只能访问 user2/ 文件夹,依此类推。
这是您问题的official answer。
Example: Allow each IAM user access to a folder in a bucket
In this example, you want two IAM users, Alice and Bob, to have access to your bucket, examplebucket, so they can add, update, and delete objects. However, you want to restrict each user’s access to a single folder in the bucket. You might create folders with names that match the user names.
如果您今天不这样做,那么使用 policy variables 确实可以改变游戏规则。
请参阅 S3 policy examples 中的示例:
Instead of attaching policies to individual users, though, you can write a single policy that uses a policy variable and attach the policy to a group. You will first need to create a group and add both Alice and Bob to the group. The following example policy allows a set of Amazon S3 permissions in the
examplebucket/${aws:username}folder. When the policy is evaluated, the policy variable${aws:username}is replaced by the requester's user name. For example, if Alice sends a request to put an object, the operation is allowed only if Alice is uploading the object to theexamplebucket/Alicefolder.{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "s3:PutObject", "s3:GetObject", "s3:GetObjectVersion", "s3:DeleteObject", "s3:DeleteObjectVersion" ], "Resource":"arn:aws:s3:::examplebucket/${aws:username}/*" } ] }