我的 IAM 用户的策略包含以下声明:
{
"Action": [
"s3:*"
],
"Effect": "Allow",
"Resource": "*"
},
我正在尝试使用 S3 资源策略拒绝此用户的访问,但无法成功。 这是 S3 政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "BlockRootAndHomeListingOfCompanyBucket",
"Effect": "Deny",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT_NUMBER:user/my_user"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::my-bucket",
"Condition": {
"StringEquals": {
"s3:prefix": [
"",
"user/",
"user/my_user"
],
"s3:delimiter": "/"
}
}
},
{
"Sid": "BlockAllOnSharedFolder",
"Effect": "Deny",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT_NUMBER:user/my_user"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::my-bucket",
"Condition": {
"StringLike": {
"s3:prefix": "shared/*"
}
}
}
]
}
所有适用于第一个语句,其中用户无法列出列出的任何对象。 问题在于 shared 文件夹的第二条语句。 最初第二条语句有 "Action": "s3:ListBucket" 并且全部有效。 后来我将 ListBucket 更改为“*”(如上面的代码所示)并等待了 20 多分钟以确保该策略将被激活。
问题是策略仅拒绝 my_bucket/shared 文件夹的 ListBucket:
$aws s3 ls s3://my-bucket/shared/folder/x1.txt
An error occurred (AccessDenied) when calling the ListObjectsV2 operation: User: arn:aws:iam::ACCOUNT_NUMBER:user/my_user is not authorized to perform: s3:ListBucket on resource: "arn:aws:s3:::my-bucket" with an explicit deny in a resource-based policy
$ aws s3 rm s3://my-bucket/shared/folder/x1.txt
delete: s3://my-bucket/shared/folder/x1.txt
$ aws s3 cp x2.txt s3://my-bucket/shared/folder/
upload: ./x2.txt to s3://my-bucket/shared/folder/x2.txt
cp
和 rm
操作生效。从 S3 文件夹中添加/删除对象。
在上述拒绝
my-bucket/shared
文件夹上的所有操作的策略中我缺少什么?
一些 Amazon S3 操作发生在 bucket 上,例如
ListBucket
:
"Resource": "arn:aws:s3:::my-bucket",
一些操作发生在对象上,例如
DeleteObject
和PutObject
:
"Resource": "arn:aws:s3:::my-bucket/*",
注意
/*
中的Resource
,这是使用对象级操作时必需的。
您可以将它们组合在一起:
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
]
这应该使
s3:*
操作能够被识别为存储桶级和对象级操作。