AWS IAM 策略:限制 Bucket/Folder 访问 User/Role?
AWS IAM Policy: Restrict Bucket/Folder Access By User/Role?
我正在尝试按角色限制用户只能访问 S3 存储桶中的特定文件夹。存储桶被配置为 "mock mountable" 可以这么说,这样我们就可以将它用于文件共享,就好像它是一个更传统的服务器一样。每个用户都在使用 CloudBerry 远程访问 S3。
这是我当前的(损坏的)策略,存储桶名称是 "bluebolt"。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowUserToSeeBucketListInTheConsole",
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource": [
"arn:aws:s3:::*"
]
},
{
"Sid": "AllowRootAndHomeListingOfCompanySharedAndPAndP",
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::bluebolt"
],
"Condition": {
"StringEquals": {
"s3:prefix": [
"",
"Production and Processing/",
"Production and Processing/${aws:username}",
"Company Shared/"
],
"s3:delimiter": [
"/"
]
}
}
},
{
"Sid": "AllowListingOfCompanyShared",
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::bluebolt"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"Company Shared/*"
]
}
}
},
{
"Sid": "AllowListingOfUserFolder",
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::bluebolt"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"Production and Processing/${aws:username}/",
"Production and Processing/${aws:username}/*"
]
}
}
},
{
"Sid": "AllowAllS3ActionsCompanyShared",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::bluebolt/Company Shared/*"
]
},
{
"Sid": "AllowAllS3ActionsInUserFolder",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::bluebolt/Production and Processing/${aws:username}/*"
]
},
{
"Sid": "DenyAllS3ActionsInManagement",
"Effect": "Deny",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::bluebolt/Management/*"
]
}
]
}
所以,我想做的是限制用户 list/read/write 只能使用“/Production and Processing/[UserName]”中的内容,同时能够 list/read “中的所有内容” /Company Shared”,同时明确禁止对“/Management”的所有访问以及“/Production and Processing/*”中除其用户文件夹之外的所有内容。理想情况下,用户只会在 bluebolt 中看到“/Company Shared”和“/Production and Processing”,一旦他们进入“/Production and Processing”,他们只会看到他们的用户命名文件夹,即他们的工作区。
现在,一旦用户 ("You do not have permission to access") 挖掘到 bluebolt 顶级存储桶以下,我就会偶尔访问他们。
我不知道这个用例是否常见,或者我是否试图将太方的钉子放入圆孔中,但欢迎任何 feedback/tips/similar 政策 applications/harsh 批评非常感谢!
IAM policy variables with federated users
${aws:userName} 策略变量不适用于角色。使用 ${aws:userID} 策略变量而不是 ${aws:userName} 策略变量。
${aws:userid} 变量将为 "ROLEID:caller-specified-name"。
我对 aws:userid 和一个角色使用了相同的策略。
获取角色 ID。
iam get-role --role-name Arsenal-role --query Role.RoleId
AROAXXT2NJT7D3SIQN7Z6
请您的用户上传到 Bucket/Prefix/<RoleID:SessionName>/
aws s3 cp test.txt 's3://mydemo/Production and Processing/AROAXXT2NJT7D3SIQN7Z6:john/' --profile s3role
upload: ./test.txt to s3://mydemo/Production and Processing/AROAXX2NJT7D3SIQN7Z6:john/test.txt
aws s3 cp test.txt 's3://mydemo/Management/' --profile s3role
upload failed: ./test.txt to s3://mydemo/Management/test.txt An error occurred (AccessDenied) when calling the PutObject operation: Access Denied
aws s3 cp test.txt 's3://mydemo/Production and Processing/' --profile s3role
upload failed: ./test.txt to s3://mydemo/Production and Processing An error occurred (AccessDenied) when calling the PutObject operation: Access Denied
这是我开始工作的代码。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowListingOfUserFolder",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::bluebolt"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"*",
"bluebolt/Company Shared/*",
"bluebolt/Production and Processing/*",
"bluebolt/Production and Processing/${aws:userName}/*"
]
}
}
},
{
"Sid": "AllowAllS3ActionsInUserFolder",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:DeleteObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::bluebolt/Production and Processing/${aws:userName}/*"
]
},
{
"Sid": "AllowCertainS3ActionsInCompanyShared",
"Action": [
"s3:GetObject",
"s3:GetObjectVersion"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::bluebolt/Company Shared/*"
]
}
]
}
我正在尝试按角色限制用户只能访问 S3 存储桶中的特定文件夹。存储桶被配置为 "mock mountable" 可以这么说,这样我们就可以将它用于文件共享,就好像它是一个更传统的服务器一样。每个用户都在使用 CloudBerry 远程访问 S3。
这是我当前的(损坏的)策略,存储桶名称是 "bluebolt"。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowUserToSeeBucketListInTheConsole",
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource": [
"arn:aws:s3:::*"
]
},
{
"Sid": "AllowRootAndHomeListingOfCompanySharedAndPAndP",
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::bluebolt"
],
"Condition": {
"StringEquals": {
"s3:prefix": [
"",
"Production and Processing/",
"Production and Processing/${aws:username}",
"Company Shared/"
],
"s3:delimiter": [
"/"
]
}
}
},
{
"Sid": "AllowListingOfCompanyShared",
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::bluebolt"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"Company Shared/*"
]
}
}
},
{
"Sid": "AllowListingOfUserFolder",
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::bluebolt"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"Production and Processing/${aws:username}/",
"Production and Processing/${aws:username}/*"
]
}
}
},
{
"Sid": "AllowAllS3ActionsCompanyShared",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::bluebolt/Company Shared/*"
]
},
{
"Sid": "AllowAllS3ActionsInUserFolder",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::bluebolt/Production and Processing/${aws:username}/*"
]
},
{
"Sid": "DenyAllS3ActionsInManagement",
"Effect": "Deny",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::bluebolt/Management/*"
]
}
]
}
所以,我想做的是限制用户 list/read/write 只能使用“/Production and Processing/[UserName]”中的内容,同时能够 list/read “中的所有内容” /Company Shared”,同时明确禁止对“/Management”的所有访问以及“/Production and Processing/*”中除其用户文件夹之外的所有内容。理想情况下,用户只会在 bluebolt 中看到“/Company Shared”和“/Production and Processing”,一旦他们进入“/Production and Processing”,他们只会看到他们的用户命名文件夹,即他们的工作区。
现在,一旦用户 ("You do not have permission to access") 挖掘到 bluebolt 顶级存储桶以下,我就会偶尔访问他们。
我不知道这个用例是否常见,或者我是否试图将太方的钉子放入圆孔中,但欢迎任何 feedback/tips/similar 政策 applications/harsh 批评非常感谢!
IAM policy variables with federated users
${aws:userName} 策略变量不适用于角色。使用 ${aws:userID} 策略变量而不是 ${aws:userName} 策略变量。
${aws:userid} 变量将为 "ROLEID:caller-specified-name"。
我对 aws:userid 和一个角色使用了相同的策略。
获取角色 ID。
iam get-role --role-name Arsenal-role --query Role.RoleId AROAXXT2NJT7D3SIQN7Z6请您的用户上传到
Bucket/Prefix/<RoleID:SessionName>/aws s3 cp test.txt 's3://mydemo/Production and Processing/AROAXXT2NJT7D3SIQN7Z6:john/' --profile s3role upload: ./test.txt to s3://mydemo/Production and Processing/AROAXX2NJT7D3SIQN7Z6:john/test.txt aws s3 cp test.txt 's3://mydemo/Management/' --profile s3role upload failed: ./test.txt to s3://mydemo/Management/test.txt An error occurred (AccessDenied) when calling the PutObject operation: Access Denied aws s3 cp test.txt 's3://mydemo/Production and Processing/' --profile s3role upload failed: ./test.txt to s3://mydemo/Production and Processing An error occurred (AccessDenied) when calling the PutObject operation: Access Denied
这是我开始工作的代码。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowListingOfUserFolder",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::bluebolt"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"*",
"bluebolt/Company Shared/*",
"bluebolt/Production and Processing/*",
"bluebolt/Production and Processing/${aws:userName}/*"
]
}
}
},
{
"Sid": "AllowAllS3ActionsInUserFolder",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:DeleteObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::bluebolt/Production and Processing/${aws:userName}/*"
]
},
{
"Sid": "AllowCertainS3ActionsInCompanyShared",
"Action": [
"s3:GetObject",
"s3:GetObjectVersion"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::bluebolt/Company Shared/*"
]
}
]
}