Posted in: Aws代维
设置IAM用户权限允许访问特定S3的bucket或者目录
通过设置IAM用户权限,可以限制IAM用户访问特定的S3 bucket或者目录的权限。
(1) case1:只允许IAM用户通过API或者s3cmd命令行工具访问特定S3 bucket
{ "Statement": [ { "Effect": "Allow", "Action": ["s3:ListBucket" ], "Resource": [ "arn:aws:s3:::mod-backup"] }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject"], "Resource": [ "arn:aws:s3:::mod-backup/*"] } ] }
这样虽然直接 s3cmd ls会报Access Deny,但是s3cmd ls s3://mod-backup还是可以看到的
(2) case2: 使用CloudBerry这类图形化工具,只允许用户访问特定的S3bucket或者特定目录
IAM user的授权跟API方式的一样
{ "Statement": [ { "Effect": "Allow", "Action": ["s3:ListBucket" ], "Resource": [ "arn:aws:s3:::mod-backup"] }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject"], "Resource": [ "arn:aws:s3:::mod-backup/*"] } ] }
在配置CloudBerry的时候,通过配置External Bucket来只显示该Bucket或者某个目录
<1>配置整个bucket是External Bucket填写bucket name,例如mod-backup
<2>若只有改Bucket下某个目录的权限,就填写mod-backup/wangfei
(3) case3: 允许IAM用户通过AWS console(web管理页面)访问且仅能访问特定S3 bucket
{ "Statement": [ { "Effect": "Allow", "Action": ["s3:GetBucketLocation", "s3:ListAllMyBuckets"], "Resource": "arn:aws:s3:::*" }, { "Effect": "Allow", "Action": ["s3:ListBucket" ], "Resource": [ "arn:aws:s3:::mod-backup"] }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject"], "Resource": [ "arn:aws:s3:::mod-backup/*"] } ] }
这样IAM用户只能读写mod-backup这个bucket,但是又个问题,虽然其他的bucket无权限访问到,但是在bucket列表中依然能看到,但看不到里面的内容。修改成
"Action": ["s3:GetBucketLocation", "s3:ListAllMyBuckets"], "Resource": "arn:aws:s3:::mod-backup"
这样也不行,这样什么bucket都列举不出来,因为s3:GetBucketLocation这个api操作的对象只能是AllBucket。