我創建了一個用戶并分配了以下行內策略。同時我在 s3 中創建了一個存盤桶。
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::bucketname"
當我將此策略應用于特定用戶并嘗試訪問 S3 時,資源中列出的特定存盤桶未顯示?我擔心的是我已經對所有 s3 執行了操作,然后我的存盤桶沒有出現在 S3 中嗎?
通過可視化編輯器,我嘗試為相同的事物創建策略,策略如下所示
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:ListStorageLensConfigurations",
"s3:ListAccessPointsForObjectLambda",
"s3:GetAccessPoint",
"s3:PutAccountPublicAccessBlock",
"s3:GetAccountPublicAccessBlock",
"s3:ListAllMyBuckets",
"s3:ListAccessPoints",
"s3:ListJobs",
"s3:PutStorageLensConfiguration",
"s3:ListMultiRegionAccessPoints",
"s3:CreateJob"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::bucketname"
}
]
}
為什么為串列創建單獨的操作并允許每個資源?
uj5u.com熱心網友回復:
一些操作在存盤桶級別執行(例如列出存盤桶),而一些操作在物件級別執行(例如下載物件)。
您可以同時授予這兩種權限:
以下是用戶策略示例 - Amazon Simple Storage Service 中的示例:
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action": "s3:ListAllMyBuckets",
"Resource":"*"
},
{
"Effect":"Allow",
"Action":["s3:ListBucket","s3:GetBucketLocation"],
"Resource":"arn:aws:s3:::bucketname"
},
{
"Effect":"Allow",
"Action":[
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:DeleteObject"
],
"Resource":"arn:aws:s3:::bucketname/*"
}
]
}
您也可以將其全部合并為一個策略:
{
"Version":"2012-10-17",
"Statement":[
{
"Effect": "Allow",
"Action": "*",
"Resource": ["arn:aws:s3:::bucketname", "arn:aws:s3:::bucketname/*"]
}
]
}
但是,請注意,此“全部允許”策略還授予用戶洗掉物件和存盤桶的權限,因此在向用戶授予此類權限時應非常小心。
轉載請註明出處,本文鏈接:https://www.uj5u.com/qiye/373685.html
上一篇:如何使用AWSCDK正確洗掉
下一篇:如何使用ClassicLoadBalancer配置ElasticBeanstalkNodeJS應用程式以使用HTTPS?