我遵循这个答案的说明来生成以下S3桶策略:
{
"Id": "Policy1495981680273",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1495981517155",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::surplace-audio",
"Principal": "*"
}
]
}
我得到以下错误:
操作不适用于语句中的任何资源
我的保单中遗漏了什么?
当前回答
参考AWS >文档> AWS身份和访问管理>用户指南 https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_resource.html
它在注释中明确定义,有些服务不允许您为单个资源指定操作。
在Resource元素中使用通配符*
“资源”:“当arn: aws s3::: surplace-audio / *
其他回答
刚刚遇到了这个问题,并为那些想要在同一策略中拥有ListBucket和GetObject的人找到了一个更短的解决方案。重要的是在Resource下列出bucket-name和bucket-name/*。
{
"Id": "Policyxxxx961",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmtxxxxx4365",
"Action": [
"s3:GetObject",
"s3:ListBucket",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::bucket-name",
"arn:aws:s3:::bucket-name/*"
],
"Principal": "*"
}
]
}
仅仅删除s3:ListBucket权限对我来说并不是一个足够好的解决方案,可能对其他许多人来说也不是。
如果你想要s3:ListBucket权限,你只需要有桶的普通arn(没有结尾的/*),因为这个权限适用于桶本身,而不是桶内的项目。
如下所示,你必须拥有s3:ListBucket权限,作为一个单独的语句,与bucket内的项目相关的权限,如s3:GetObject和s3:PutObject:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Principal": {
"AWS": "[IAM ARN HERE]"
},
"Resource": "arn:aws:s3:::my-bucket-name"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Principal": {
"AWS": "[IAM ARN HERE]"
},
"Resource": "arn:aws:s3:::my-bucket-name/*"
}
]
}
无论何时尝试应用桶策略。记住这一点,如果你正在使用像“s3:ListBucket”,“s3:GetBucketPolicy”,“s3:GetBucketAcl”等与桶相关的操作,policy中的资源属性应该被提到为<" resource ": "arn:aws:s3:::bucket_name">。
Ex.
{
"Version": "2012-10-17",
"Id": "Policy1608224885249",
"Statement": [
{
"Sid": "Stmt1608226298927",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetBucketPolicy",
"s3:GetBucketAcl",
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::bucket_name"
}
]
}
如果您正在使用“s3:GetObject”、“s3:DeleteObject”、“s3:GetObject”等与对象相关的操作,则policy中的资源属性应提到为<" resource ": "arn:aws:s3:::bucket_name/*">。
ex.
{
"Id": "Policy1608228066771",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1608228057071",
"Action": [
"s3:DeleteObject",
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::bucket_name/*",
"Principal": "*"
}
]
}
最后,如果你正在使用“s3:ListBucket”,“s3:GetObject”等操作,这些操作与桶和对象都相关,那么策略中的资源属性应该被提到为<" resource ": ["arn:aws:s3:::bucket_name/*", " resource ": "arn:aws:s3:::bucket_name">。
ex.
{
"Version": "2012-10-17",
"Id": "Policy1608224885249",
"Statement": [
{
"Sid": "Stmt1608226298927",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::bucket_name",
"arn:aws:s3:::bucket_name/*"
]
}
] }
您还可以为每个文件夹配置ListBuckets,如下所示
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowSESPuts-1521238702575",
"Effect": "Allow",
"Principal": {
"Service": "ses.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::buckets.email/*",
"Condition": {
"StringEquals": {
"aws:Referer": "[red]"
}
}
},
{
"Sid": "Stmt1586754972129",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::596322993031:user/[red]"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::buckets.email",
"Condition": {
"StringEquals": {
"s3:delimiter": "/",
"s3:prefix": [
"",
"domain.co",
"domain.co/user"
]
}
}
},
{
"Sid": "Stmt1586754972129",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::596322993031:user/[red]"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::buckets.email",
"Condition": {
"StringLike": {
"s3:prefix": "domain.co/user/*"
}
}
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::596322993031:user/[red]"
},
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::buckets.email/domain.co/user/*"
}
]
}
这些规则与SES一起用于接收电子邮件,但允许外部用户查看SES放入bucket中的文件。 我按照这里的说明做了:https://aws.amazon.com/blogs/security/writing-iam-policies-grant-access-to-user-specific-folders-in-an-amazon-s3-bucket/
此外,必须将prefix指定为域。co/user/ WITH在使用SDK时,否则你将被拒绝访问。希望能对大家有所帮助
转到实例中的Amazon S3。 进入“权限->公共访问”页签。 选择“编辑”,取消勾选“阻止所有公共访问”并保存。 您将在权限选项卡和访问控制列表中看到“公共”标签。
