英文:
S3 Policy Help - Full access for IAM user. Public read only access for single folder
问题
我已经为我的存储桶创建了一个带有策略的 IAM 用户。在启用“公开块访问”后,我可以通过此用户按预期与存储桶进行交互。
现在我需要使用存储桶策略创建一个单独的公开只读文件夹,但我没有任何好运。我创建了下面的策略,应该会:
- 禁用所有主体的所有访问
- 为我的 IAM 用户启用所有访问
- 为所有用户启用特定文件夹的只读访问。
{
"Id": "Policy1676746531922",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1676745894018",
"Action": "s3:*",
"Effect": "Deny",
"Resource": "arn:aws:s3:::bucket/*",
"Principal": "*"
},
{
"Sid": "Stmt1676746261470",
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::bucket/*",
"Principal": {
"AWS": [
"arn:aws:iam::000000000:user/bucket-user"
]
}
},
{
"Sid": "Stmt1676746523001",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::bucket/read-only-folder",
"Principal": "*"
}
]
}
我猜你不能以这种方式叠加访问权限,但我不确定如何构建我需要的内容。如果我使用一个单一的读取策略来打开一个文件夹,我似乎仍然可以公开访问所有其他文件夹:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "AllowPublicRead",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucket-name/public/*"
}
]
}
我可以访问“/public”,但仍然可以访问“/private”。
我首先需要一种方法来锁定整个存储桶,然后打开我想要提供访问权限的文件夹。
英文:
I have an IAM user created with a policy for my bucket. With "public block access" enabled I can interact with the bucket as expected through this user.
Now I need to make a single public read-only folder using bucket policies, but I am not having any luck. I created the below policy which should
- Disable all access to all principles
- Enable all access for my IAM user
- Enable read-only access to specific folders for all users.
{
"Id": "Policy1676746531922",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1676745894018",
"Action": "s3:*",
"Effect": "Deny",
"Resource": "arn:aws:s3:::bucket/*",
"Principal": "*"
},
{
"Sid": "Stmt1676746261470",
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::bucket/*",
"Principal": {
"AWS": [
"arn:aws:iam::000000000:user/bucket-user"
]
}
},
{
"Sid": "Stmt1676746523001",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::bucket/read-only-folder",
"Principal": "*"
}
]
}
I guess you cannot layer up access in this way, but I am unsure how to construct what I need. If I go with a single read policy to open up one folder, I still seem to be able to access all other folders publically too:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "AllowPublicRead",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucket-name/public/*"
}
]
}
I can access "/public" but can still access "/private" too.
I need a way first to lock down the entire bucket and then open up the folders I want to provide access for?
答案1
得分: 2
你的策略失败是因为Deny始终会覆盖Allow。
策略中的第一条语句会拒绝对桶的访问,包括您在内。
你在arn:aws:s3:::bucket-name/public/*上的第二个策略是正确的方法。它只会授予对该特定文件夹的匿名访问权限。
如果你能够访问其他文件夹,那么可能是因为存在其他策略,或者你正在使用自己的AWS凭据进行“经过身份验证的访问”。确保在测试时将类似以下的URL放入网页浏览器中:https://bucket-name.ap-southeast-2.s3.amazonaws.com/foo.txt
英文:
Your policy is failing because Deny always overrides an Allow.
The first statement in the policy will Deny access to the bucket for everyone (including you!).
Your second policy on arn:aws:s3:::bucket-name/public/* is the correct way to go. It will only grant anonymous access to that particular folder.
If you are able to access other folders, then either there are other policies that exist, or you are using "authenticated access" using your own AWS credentials. Make sure when you test it that you are putting a URL into a web browser that simply looks like: https://bucket-name.ap-southeast-2.s3.amazonaws.com/foo.txt
答案2
得分: 0
桶默认情况下是“锁定”的。不需要显式拒绝对桶的访问。
亚马逊建议所有新桶都禁用 ACL。这意味着桶所有者默认拥有桶内所有文件和文件版本的所有权。
通过桶策略和用户/IAM 策略授予其他用户访问权限。
在这种用例中,我希望桶是私有的,除了一个文件。我们还有一个 IAM 用户,应该能够修改桶内的文件。
桶策略
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "GrantOperationAccessToIamUser",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::8000000000000:user/bucket-user"
},
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::bucket-name"
},
{
"Sid": "GrantGetAccessToIamUser",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::8000000000000:user/bucket-user"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucket-name/*"
}
]
}
为了允许对一个文件夹(在本例中文件夹名为“public”)的公共读访问权限,您可以添加以下内容:
{
"Sid": "AddPublicAccess",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource":"arn:aws:s3:::bucket-name/public/*"
}
IAM 用户内联策略
最后,IAM 用户需要附加内联策略以允许对桶的写访问权限:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PermissionForObjectOperations",
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::bucket-name/*"
]
}
]
}
英文:
Buckets are "locked down" by default. There is no need to deny access to a bucket explicitly.
Amazon suggests all new buckets are created with ACL disabled. This means that the bucket owner owns all files and file versions within a bucket by default.
Access is granted to other users via bucket policies and user/IAM policies.
In this use case, I want the bucket to be private apart from one file. We also have one IAM user who should have access to modify files within the bucket.
Bucket Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "GrantOperationAccessToIamUser",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::8000000000000:user/bucket-user"
},
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::bucket-name"
},
{
"Sid": "GrantGetAccessToIamUser",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::8000000000000:user/bucket-user"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucket-name/*"
}
]
}
In order to allow public read access to one folder (in this case the folder name is "public"), you can add the following:
{
"Sid": "AddPublicAccess",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource":"arn:aws:s3:::bucket-name/public/*"
}
IAM User Inline Policy
Finally the IAM user needs an inline policy attached to allow write access to the bucket:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PermissionForObjectOperations",
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::bucket-name/*"
]
}
]
}
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论