Amazon S3 Folder Level Permissions

问题:

I am using Amazon S3 to archive my client's documents within a single bucket and a series of folders as such, to distinguish each client.

MyBucket/0000001/.. MyBucket/0000002/.. MyBucket/0000003/.. 

My clients are now looking for a way to independently backup their files to their local machine. I'd like to create a set of permissions at a given folder level to view/download those files only within a specific folder.

I'm looking to do this outside the scope of my application, by this I mean, I'd like to create a set of permissions in the S3 browser and tell my clients to use some 3rd Party App to link to their area. Does anybody know if this is possible? I'm opposed to writing a module to automate this as at present as their simply isn't a big enough demand.

回答1:

You can use IAM policies in conjunction with bucket policies to manage such access.

Each individual client would need their own IAM profile, and you would set up policies to limit object access to only those accounts.

Here is the AWS documentation:

http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingIAMPolicies.html

I would particularly point out Example 1 in that document, which does exactly what you want.

回答2:

Please refer to the following policy to restrict the user to upload or list objects only to specific folders. I have created a policy that allows me to list only the objects of folder1 and folder2, and also allows to put the object to folder1 and deny uploads to other folders of the buckets. The policy does as below: 1.List all the folders of bucket 2.List objects and folders of allowed folders 3.Uploads files only to allowed folders

{     "Version": "2012-10-17",     "Statement": [         {             "Sid": "AllowUserToSeeBucketListInTheConsole",             "Action": [                 "s3:ListAllMyBuckets",                 "s3:GetBucketLocation"             ],             "Effect": "Allow",             "Resource": [                 "arn:aws:s3:::*"             ]         },         {             "Sid": "AllowListingOfFolder1And2",             "Action": [                 "s3:*"             ],             "Effect": "Deny",             "Resource": [                 "arn:aws:s3:::bucketname"             ],             "Condition": {                 "StringNotLike": {                     "s3:prefix": [                         "folder1/*",                         "folder2/*"                     ]                 },                 "StringLike": {                     "s3:prefix": "*"                 }             }         },         {             "Sid": "Allowputobjecttofolder1only",             "Effect": "Deny",             "Action": "s3:PutObject",             "NotResource": "arn:aws:s3:::bucketname/folder1/*"         }     ] } 

文章来源: Amazon S3 Folder Level Permissions