設定IAM使用者許可權允許訪問特定S3的bucket或者目錄
阿新 • • 發佈:2019-01-11
通過設定IAM使用者許可權,可以限制IAM使用者訪問特定的S3 bucket或者目錄的許可權。
(1) case1:只允許IAM使用者通過API或者s3cmd命令列工具訪問特定S3 bucket
這樣雖然直接 s3cmd ls會報Access Deny,但是s3cmd ls s3://mod-backup還是可以看到的
(2) case2: 使用CloudBerry這類圖形化工具,只允許使用者訪問特定的S3bucket或者特定目錄
IAM user的授權跟API方式的一樣
在配置CloudBerry的時候,通過配置External Bucket來只顯示該Bucket或者某個目錄
<1>配置整個bucket是External Bucket填寫bucket name,例如mod-backup
<2>若只有改Bucket下某個目錄的許可權,就填寫mod-backup/wangfei
(3) case3: 允許IAM使用者通過AWS console(web管理頁面)訪問且僅能訪問特定S3 bucket
這樣IAM使用者只能讀寫mod-backup這個bucket,但是又個問題,雖然其他的bucket無許可權訪問到,但是在bucket列表中依然能看到,但看不到裡面的內容。修改成
{ "Statement": [ { "Effect": "Allow", "Action": ["s3:ListBucket" ], "Resource": [ "arn:aws:s3:::mod-backup"] }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject"], "Resource": [ "arn:aws:s3:::mod-backup/*"] } ] }
{ "Statement": [ { "Effect": "Allow", "Action": ["s3:ListBucket" ], "Resource": [ "arn:aws:s3:::mod-backup"] }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject"], "Resource": [ "arn:aws:s3:::mod-backup/*"] } ] }
{ "Statement": [ { "Effect": "Allow", "Action": ["s3:GetBucketLocation", "s3:ListAllMyBuckets"], "Resource": "arn:aws:s3:::*" }, { "Effect": "Allow", "Action": ["s3:ListBucket" ], "Resource": [ "arn:aws:s3:::mod-backup"] }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject"], "Resource": [ "arn:aws:s3:::mod-backup/*"] } ] }
"Action": ["s3:GetBucketLocation", "s3:ListAllMyBuckets"], "Resource": "arn:aws:s3:::mod-backup"這樣也不行,這樣什麼bucket都列舉不出來,因為s3:GetBucketLocation這個api操作的物件只能是AllBucket。