我遵循这个答案的说明来生成以下S3桶策略:

{
  "Id": "Policy1495981680273",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1495981517155",
      "Action": [
        "s3:GetObject"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::surplace-audio",
      "Principal": "*"
    }
  ]
}

我得到以下错误:

操作不适用于语句中的任何资源

我的保单中遗漏了什么?


当前回答

您还可以为每个文件夹配置ListBuckets,如下所示

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowSESPuts-1521238702575",
            "Effect": "Allow",
            "Principal": {
                "Service": "ses.amazonaws.com"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::buckets.email/*",
            "Condition": {
                "StringEquals": {
                    "aws:Referer": "[red]"
                }
            }
        },
        {
            "Sid": "Stmt1586754972129",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::596322993031:user/[red]"
            },
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::buckets.email",
            "Condition": {
                "StringEquals": {
                    "s3:delimiter": "/",
                    "s3:prefix": [
                        "",
                        "domain.co",
                        "domain.co/user"
                    ]
                }
            }
        },
        {
            "Sid": "Stmt1586754972129",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::596322993031:user/[red]"
            },
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::buckets.email",
            "Condition": {
                "StringLike": {
                    "s3:prefix": "domain.co/user/*"
                }
            }
        },
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::596322993031:user/[red]"
            },
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject"
            ],
            "Resource": "arn:aws:s3:::buckets.email/domain.co/user/*"
        }
    ]
}

这些规则与SES一起用于接收电子邮件,但允许外部用户查看SES放入bucket中的文件。 我按照这里的说明做了:https://aws.amazon.com/blogs/security/writing-iam-policies-grant-access-to-user-specific-folders-in-an-amazon-s3-bucket/

此外,必须将prefix指定为域。co/user/ WITH在使用SDK时,否则你将被拒绝访问。希望能对大家有所帮助

其他回答

转到实例中的Amazon S3。 进入“权限->公共访问”页签。 选择“编辑”,取消勾选“阻止所有公共访问”并保存。 您将在权限选项卡和访问控制列表中看到“公共”标签。

我发现我的ListBuckets没有工作,因为IAM原则没有ListAllMyBuckets权限。

您必须检查Policy-的Resource标记下定义的arn模式

“资源”:“当arn: aws s3::: s3mybucketname / *

在桶的公共访问策略被解除后,如果你遇到这个问题,在结尾添加“/*”将有助于解决这个问题。

这很简单,只需要在结尾加上“/*”。您只给出了根目录链接,但是需要将操作应用到对象。

类型, “资源”:“在攻击:aws: s3::: surplace-audio / *”

要解决这个问题,您需要在策略规则中找到Resource,并在数组中添加arn桶,一个带*,第二个末尾不带*。这将修复错误。

{
    "Version": "2012-10-17",
    "Id": "Policy3783783783738",
    "Statement": [
        {
            "Sid": "Stmt1615891730703",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::76367367633:user/magazine-demo-root-user"
            },
            "Action": [
                "s3:ListBucket",
                "s3:ListBucketVersions",
                "s3:GetBucketLocation",
                "s3:DeleteObject",
                "s3:AbortMultipartUpload",
                "s3:Get*",
                "s3:Put*"
            ],
            "Resource": [
                "arn:aws:s3:::magazine-demo",
                "arn:aws:s3:::magazine-demo/*"
            ]
        }
    ]
}