资讯详情

AWS s3访问权限

AWS s3访问权限

1.1基本策略字段

通过json来控制S3桶访问权限,以下示例策略用于访问存储桶。该策略允许用户只对 执行 s3:ListBucket、s3:PutObject 和 s3:GetObject 操作:

(下面我将解释以下策略的字段)

{ 
            "Version":"2012-10-17",    "Statement":[       { 
                  "Effect":"Allow",          "Action":[             "s3:ListBucket"          ],          "Resource":"arn:aws:s3:::MY-BUCKET"       },       { 
                  "Effect":"Allow",          "Action":[             "s3:PutObject",             "s3:GetObject"          ],          "Resource":"arn:aws:s3:::MY-BUCKET/*"       }    ] }
  • Version 战略版本号(通常是时间戳)
  • Statement 战略声明(以列表的形式定义访问战略对象)
  • Effect 战略效果(拒绝或允许权限,Deny,Allow)
  • Action 操作(如果是定义操作,可以是字符串数组或字符串"s3:*" ,所以为所有操作)
  • Resource 策略附加的资源(可以是字符串数组,也可以是字符串,AWS每个资源都有相应的对应arn)

{ 
             "Version":"2012-10-17",     "Statement": [         { 
                     "Sid":"GrantAnonymousReadPermissions",             "Effect":"Allow",             "Principal": "*",             "Action":["s3:GetObject"],             "Resource":["arn:aws:s3:::awsexamplebucket1/*"]         }     ] }
  • Sid 策略的ID标识(一般为描述信息)
  • Principal 用于指定被允许或拒绝访问资源的用户、账户、服务或其他实体(Principal”:"*"匿名访问,授予每个人权限)

1.2 S3的条件键Condition

{ 
            "Version": "2012-10-17", "Statement": [ { 
          "Sid": "statement1", "Effect": "Allow", "Action": "s3:PutObject", "Resource": [ "arn:aws:s3:::awsexamplebucket1/*" ], "Condition": { 
          "StringEquals": { 
          "s3:x-amz-acl": "public-read" } } } ] }
  • Condition 指定策略生效时的条件

可以指定以下这些条件,如:

"Condition" : { 
        
    "IpAddress" : { 
        
    	"aws:SourceIp": "192.0.2.0/24" 
    },
    "NotIpAddress" : { 
        
    	"aws:SourceIp": "192.0.2.188/32" 
    } 
} 


"Condition": { 
        
        "StringEquals": { 
        
          "s3:x-amz-grant-full-control": "id=AccountA-CanonicalUserID"
        }
}

更多条件字段请查阅官方文档:https://docs.aws.amazon.com/zh_cn/AmazonS3/latest/dev/list_amazons3.html.

2.将亚马逊 AWS S3 存储桶的访问权限到一个特定 IAM 角色

其中111111111111为账户号,ROLENAME为角色名。

//使用Principal指定111111111111账户中的ROLENAME
//拥有对MyExampleBucket桶的ListBucket权限
{ 
        
    "Effect": "Allow",
    "Principal": { 
        
    	"AWS": "arn:aws:iam::111111111111:role/ROLENAME"
    },
    "Action": "s3:ListBucket",
    "Resource": "arn:aws:s3:::MyExampleBucket"
}



//通过Condition指定角色
{ 
        
	"Effect": "Deny",
	"Principal": "*",
	"Action": "s3:*",
	"Resource": [
	"arn:aws:s3:::MyExampleBucket",
	"arn:aws:s3:::MyExampleBucket/*"
	],
	"Condition": { 
        
		"StringNotLike": { 
        
			"aws:userId": [
			"AROAEXAMPLEID:*",
			"111111111111"
			]
		}
	}
}


//通过Principal给role/ROLENAME和user/USERNAME权限
{ 
        
    "Effect": "Allow",
    "Principal": [
        { 
        
            "AWS": [
                "arn:aws:iam::222222222222:role/ROLENAME",
                "arn:aws:iam::222222222222:user/USERNAME"
            ]
        }
    ],
    "Action": "s3:ListBucket",
    "Resource": "arn:aws:s3:::MyExampleBucket"
}

演练:使用用户策略控制对存储桶的访问的官方文档------------ https://aws.amazon.com/cn/blogs/china/securityhow-to-restrict-amazon-s3-bucket-access-to-a-specific-iam-role/.

标签: s3壁挂型温湿度传感器

锐单商城拥有海量元器件数据手册IC替代型号,打造 电子元器件IC百科大全!

锐单商城 - 一站式电子元器件采购平台