+86 13541016684Mon. - Fri. 10:00-22:00

设置IAM用户权限允许访问特定S3的bucket或者目录

设置IAM用户权限允许访问特定S3的bucket或者目录

设置IAM用户权限允许访问特定S3的bucket或者目录

通过设置IAM用户权限,可以限制IAM用户访问特定的S3 bucket或者目录的权限。

(1) case1:只允许IAM用户通过API或者s3cmd命令行工具访问特定S3 bucket
{
  "Statement": [
    {
       "Effect": "Allow",
       "Action": ["s3:ListBucket" ],
       "Resource": [ "arn:aws:s3:::mod-backup"]
    },
    {
        "Effect": "Allow",
        "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject"],
        "Resource": [ "arn:aws:s3:::mod-backup/*"]
    }
  ]
}

这样虽然直接 s3cmd ls会报Access Deny,但是s3cmd ls s3://mod-backup还是可以看到的

(2) case2: 使用CloudBerry这类图形化工具,只允许用户访问特定的S3bucket或者特定目录
IAM user的授权跟API方式的一样
{
  "Statement": [
    {
       "Effect": "Allow",
       "Action": ["s3:ListBucket" ],
       "Resource": [ "arn:aws:s3:::mod-backup"]
    },
    {
        "Effect": "Allow",
        "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject"],
        "Resource": [ "arn:aws:s3:::mod-backup/*"]
    }
  ]
}
在配置CloudBerry的时候,通过配置External Bucket来只显示该Bucket或者某个目录
<1>配置整个bucket是External Bucket填写bucket name,例如mod-backup
<2>若只有改Bucket下某个目录的权限,就填写mod-backup/wangfei
(3) case3: 允许IAM用户通过AWS console(web管理页面)访问且仅能访问特定S3 bucket
{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:GetBucketLocation", "s3:ListAllMyBuckets"],
      "Resource": "arn:aws:s3:::*"
    },
    {
      "Effect": "Allow",
      "Action": ["s3:ListBucket" ],
      "Resource": [ "arn:aws:s3:::mod-backup"]
    },
    {
      "Effect": "Allow",
      "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject"],
      "Resource": [ "arn:aws:s3:::mod-backup/*"]
    }
  ]
}

这样IAM用户只能读写mod-backup这个bucket,但是又个问题,虽然其他的bucket无权限访问到,但是在bucket列表中依然能看到,但看不到里面的内容。修改成

     "Action": ["s3:GetBucketLocation", "s3:ListAllMyBuckets"],
      "Resource": "arn:aws:s3:::mod-backup"

这样也不行,这样什么bucket都列举不出来,因为s3:GetBucketLocation这个api操作的对象只能是AllBucket。