如何构造 IAM 高级用户以只读访问 S3 存储桶?
How to structure IAM power user to have read-only access to an S3 bucket?
(背景)目前,我正在尝试为需要我公司账户的任何人制定一项通用政策,以便他们可以访问他们在 AWS 上所需的任何内容,但不能更改自己的权限。那里的想法是给他们管理策略 "PowerUserAccess"。此外,在他们的帐户中,他们将拥有一个具有计费权限的 S3 存储桶,"arn:aws:s3:::c3-uits-s3"。
(问题)我已尝试将此 s3 存储桶设置为只读,以便他们可以 see/download 计费,但不能 upload/delete 从存储桶中。我的第一次尝试是
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"NotAction": "iam:*",
"Resource": "*"
},
{
"Effect": "Deny",
"NotAction": [
"s3:List*",
"s3:Get*"
],
"Resource": [
"arn:aws:s3:::c3-uits-s3"
]
}
]
}
拒绝除了 Get* 和 List* 之外的所有操作,但有了这些权限我仍然能够 upload/delete,所以我试图从那里只获得必要的权限,只查看而不做任何其他事情,然后我来了与
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"NotAction": "iam:*",
"Resource": "*"
},
{
"Effect": "Deny",
"NotAction": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::c3-uits-s3"
]
}
]
}
这仍然具有能够 upload/delete 的相同效果。我尝试的另一种变体是
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"NotAction": [
"iam:*",
"s3:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"NotResource": [
"arn:aws:s3:::c3-uits-s3"
]
},
{
"Effect": "Allow",
"Action": [
"s3:List*",
"s3:Get*"
],
"Resource": [
"arn:aws:s3:::c3-uits-s3"
]
}
]
}
和
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"NotAction": "iam:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:List*",
"s3:Get*"
],
"Resource": [
"arn:aws:s3:::c3-uits-s3"
]
},
{
"Effect": "Deny",
"Action": [
"s3:Put*",
"s3:Create*",
"s3:Delete*",
"s3:Replicate*"
],
"Resource": [
"arn:aws:s3:::c3-uits-s3"
]
}
]
}
任何正确方向的帮助或指示将不胜感激!
存储桶的Resource是"arn:aws:s3:::bucket-name",但是存储桶中对象的Resource 是 "arn:aws:s3:::bucket-name/*"。
您在这里没有拒绝对对象的任何操作。
(背景)目前,我正在尝试为需要我公司账户的任何人制定一项通用政策,以便他们可以访问他们在 AWS 上所需的任何内容,但不能更改自己的权限。那里的想法是给他们管理策略 "PowerUserAccess"。此外,在他们的帐户中,他们将拥有一个具有计费权限的 S3 存储桶,"arn:aws:s3:::c3-uits-s3"。
(问题)我已尝试将此 s3 存储桶设置为只读,以便他们可以 see/download 计费,但不能 upload/delete 从存储桶中。我的第一次尝试是
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"NotAction": "iam:*",
"Resource": "*"
},
{
"Effect": "Deny",
"NotAction": [
"s3:List*",
"s3:Get*"
],
"Resource": [
"arn:aws:s3:::c3-uits-s3"
]
}
]
}
拒绝除了 Get* 和 List* 之外的所有操作,但有了这些权限我仍然能够 upload/delete,所以我试图从那里只获得必要的权限,只查看而不做任何其他事情,然后我来了与
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"NotAction": "iam:*",
"Resource": "*"
},
{
"Effect": "Deny",
"NotAction": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::c3-uits-s3"
]
}
]
}
这仍然具有能够 upload/delete 的相同效果。我尝试的另一种变体是
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"NotAction": [
"iam:*",
"s3:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"NotResource": [
"arn:aws:s3:::c3-uits-s3"
]
},
{
"Effect": "Allow",
"Action": [
"s3:List*",
"s3:Get*"
],
"Resource": [
"arn:aws:s3:::c3-uits-s3"
]
}
]
}
和
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"NotAction": "iam:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:List*",
"s3:Get*"
],
"Resource": [
"arn:aws:s3:::c3-uits-s3"
]
},
{
"Effect": "Deny",
"Action": [
"s3:Put*",
"s3:Create*",
"s3:Delete*",
"s3:Replicate*"
],
"Resource": [
"arn:aws:s3:::c3-uits-s3"
]
}
]
}
任何正确方向的帮助或指示将不胜感激!
存储桶的Resource是"arn:aws:s3:::bucket-name",但是存储桶中对象的Resource 是 "arn:aws:s3:::bucket-name/*"。
您在这里没有拒绝对对象的任何操作。