发表新帖
发表新帖

Is there an S3 policy for limiting access to only see/access one bucket?

前端 未结
关注
23 741
孤城傲影
孤城傲影 2020-11-29 15:08

I have a simple bucket that looks like images.mysite.com on my S3 and other buckets containing backups, etc.

I want to allow a specific user to be able

相关标签:
23条回答
  • 南旧
    2020-11-29 15:47

    Similar to what others described above:

    {
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":[
            "s3:ListBucket"
         ],
         "Resource":"arn:aws:s3:::awsexamplebucket"
      },
      {
         "Effect":"Allow",
         "Action":[
            "s3:PutObject",
            "s3:GetObject"
         ],
         "Resource":"arn:aws:s3:::awsexamplebucket/*"
      }
   ]
}

    Here is however the missing piece. While it is not possible to access the bucket through S3->Home, it is possible to access only the desired bucket through a direct link.

    https://s3.console.aws.amazon.com/s3/buckets/yourawsbucket/

    You can find more information in the following post:

    https://aws.amazon.com/premiumsupport/knowledge-center/s3-console-access-certain-bucket/

    0 讨论(0)
  • 无人及你
    2020-11-29 15:48

    A nice simple solution we came up with is to block the user to login to the root directory. So they must login with remote path set to desired folder. 

     {
"Statement": [
    {
        "Effect": "Allow",
        "Action": "s3:*",
        "Resource": "arn:aws:s3:::folder-name*",
        "Condition": {}
    }
]
}
    0 讨论(0)
  • 清酒与你
    2020-11-29 15:49

    I've been trying this for a while and finally came up with a working solution. You must use different "Resources" depending on the kind of action you're performing. Also I included some missing actions in the previous answer (like DeleteObject) and restricting some more (like PutBucketAcl).

    The following IAM policy is working for me now:

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket",
        "s3:GetBucketLocation",
        "s3:ListBucketMultipartUploads"
      ],
      "Resource": "arn:aws:s3:::itnighq",
      "Condition": {}
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:AbortMultipartUpload",
        "s3:DeleteObject",
        "s3:DeleteObjectVersion",
        "s3:GetObject",
        "s3:GetObjectAcl",
        "s3:GetObjectVersion",
        "s3:GetObjectVersionAcl",
        "s3:PutObject",
        "s3:PutObjectAcl",
        "s3:PutObjectVersionAcl"
      ],
      "Resource": "arn:aws:s3:::itnighq/*",
      "Condition": {}
    },
    {
      "Effect": "Allow",
      "Action": "s3:ListAllMyBuckets",
      "Resource": "*",
      "Condition": {}
    }
  ]
}

    The actions regarding a bucket and those regarding objects must have different arn.

    0 讨论(0)
  • 没有蜡笔的小新
    2020-11-29 15:49

    No, it's not currently possible to limit users to view selective buckets under root or anywhere else. You have only those 3 options right now.

    I chose to ask the client to use the bucket name explicitly.

    0 讨论(0)
  • 自闭症患者
    2020-11-29 15:52

    I found this solution:
    AWS FLOW:
    AWS FLOW

    Bucket policy:

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::MyExampleBucket",
        "arn:aws:s3:::MyExampleBucket/*"
      ],
      "Condition": {
        "StringNotLike": {
          "aws:userId": [
            "AROAEXAMPLEID:*", #Role ID
            "111111111111" #AccountID
          ]
        }
      }
    }
  ]
}

    IAM policy:

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::MyExampleBucket",
        "arn:aws:s3:::MyExampleBucket/*"
      ],
      "Condition": {
        "StringNotLike": {
          "aws:userId": [
            "AROAEXAMPLEID:*",  #Role ID
            "AIDAEXAMPLEID",  #UserID
            "111111111111"  #AccountID
          ]
        }
      }
    }
  ]
}

    aws iam get-user -–user-name USER-NAME --profile=ExampleProfile

    aws iam get-role --role-name ROLE-NAME --profile=ExampleProfile

    Source: https://aws.amazon.com/blogs/security/how-to-restrict-amazon-s3-bucket-access-to-a-specific-iam-role/

    P.S. be careful with bucket policy, you can stay out without permissions

    0 讨论(0)
  • 谎友^
    2020-11-29 15:53

    There is a great way to allow users to access a specific bucket without comprising knowledge of other buckets. A group policy that is like the one below will allow users to only see "bucket a". The only catch is that the user will only ever be able to access the bucket if they connect to the given bucket endpoint. For the example below that would be bucket-a.s3.amazonaws.com. The bucket may also have to have "Authenticated Users" allowed for this to occur. 

    {
    "Statement": [
     {
         "Sid": "<EXAMPLE_SID>",
         "Action": [
           "s3:ListBucket",
           "s3:GetBucketLocation"
          ],
         "Effect": "Allow",
         "Resource": [
           "arn:aws:s3:::bucket-a"
         ]
     },
     {
      "Sid": "<EXAMPLE_SID>",
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::bucket-a/*"
      ]
     }
   ]
}

    This method was tested with Cyberduck on Mac OS/X and using the s3cmd package

    ./s3cmd ls s3://bucket-a --access_key=ACCESS_KEY --secret_key=SECRET_KEY --bucket-locat
ion=ap-southeast-2
    0 讨论(0)
 看不清?
提交回复
热议问题