1. 技术文章
  2. Grant access to read a subdirectory within an Amazon S3 bucket

Grant access to read a subdirectory within an Amazon S3 bucket

空扰寡人 提交于 2019-12-10 11:04:38

问题


I've never used AWS S3 before. We use it to automatically backup call recordings for clients. One of our clients for audit purposes needs access to their recordings.

I am using the client CyberDuck as a way to access the files.

I want to give them access to only their files.

Our file structure is as follows:

recordings/12345/COMPANYNAMEHERE/

I just learned that you build and do things based on scripts and policies. So I did some research and tried to build one but I get an access denied on listing.

Just curious if I am going about this correctly. 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::recordings/12345/COMPANYNAMEHERE",
                "arn:aws:s3:::recordings/12345/COMPANYNAMEHERE/*"
            ]
        }
    ]
}

回答1:


You have only given them permission to ListAllMyBuckets, which means they can only list the names of your buckets, and can't do anything else.

If you have already created an IAM User for them, then giving them this policy would allow them to list and retrieve their files, but only from the given directory (or, more accurately, with the given prefix):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:ListBucket"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::my-bucket"
            ],
            "Condition": {
                "StringLike": {
                    "s3:prefix": [
                        "recordings/123/*"
                    ]
                }
            }
        },
        {
            "Action": [
                "s3:GetObject"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::my-bucket/recordings/123/*"
            ]
        }
    ]
}

If you do this a lot with customers, then you can use IAM Policy Variables to create a rule that substitutes their username:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:ListBucket"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::my-bucket"
            ],
            "Condition": {
                "StringLike": {
                    "s3:prefix": [
                        "recordings/${aws:username}/*"
                    ]
                }
            }
        },
        {
            "Action": [
                "s3:GetObject"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::my-bucket/recordings/${aws:username}/*"
            ]
        }
    ]
}


来源:https://stackoverflow.com/questions/43719257/grant-access-to-read-a-subdirectory-within-an-amazon-s3-bucket

标签
amazon-web-services
amazon-s3
acl
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!