1. 技术文章
  2. AWS IAM Permissions for GetObjects in ONE S3 Bucket not working

AWS IAM Permissions for GetObjects in ONE S3 Bucket not working

。_饼干妹妹 提交于 2019-12-13 04:42:08

问题


I am trying to write a permission for a user to just be able to access the objects in ONE specific bucket.

I currently have:

{
  "Version": "2012-10-17",
  "Statement":[{
    "Effect": "Allow",
    "Action": "s3:GetObject",
    "Resource": ["arn:aws:s3:::test",
                 "arn:aws:s3:::test/*"]
    }
  ]
}

but the user can still access ALL my other buckets. Note that my other buckets don't have policy... I don't think it should matter. I just want that user's IAM to be allowed to that specific bucket.


回答1:


Amazon S3 is one of the most complex services due to offering three different permission mechanisms, which can all applied simultaneously, see e.g. IAM policies and Bucket Policies and ACLs! Oh My! (Controlling Access to S3 Resources) for a nice writeup of the subject matter, in particular, section How does authorization work with multiple access control mechanisms?:

Whenever an AWS principal issues a request to S3, the authorization decision depends on the union of all the IAM policies, S3 bucket policies, and S3 ACLs that apply.

The behavior you experience indicates some misconfiguration somewhere, i.e. you likely allow access to the bucket at a level you might not be aware of - concerning Amazon IAM alone, the IAM Policy Simulator is an excellent tool to debug such situations and I highly suggest to verify your configuration there first.

However, while this is sufficient for most services, it doesn't cover the other two permission mechanisms for S3 as outlined above, but would at least isolate the analysis already.




回答2:


Do try the following IAM user policy which allow full access to only a single bucket.

Note that the 'list all buckets' is required but the user won't be able to access other buckets than the one you specified in the policy.

{
   "Statement":[
  {
     "Effect":"Allow",
     "Action":[
        "s3:ListAllMyBuckets"
     ],
     "Resource":"arn:aws:s3:::*"
  },
  {
     "Effect":"Allow",
     "Action":[
        "s3:ListBucket",
        "s3:GetBucketLocation"
     ],
     "Resource":"arn:aws:s3:::examplebucket"
  },
  {
     "Effect":"Allow",
     "Action":[
        "s3:PutObject",
        "s3:GetObject",
        "s3:DeleteObject"
     ],
     "Resource":"arn:aws:s3:::examplebucket/*"
  }
   ]
}


来源:https://stackoverflow.com/questions/22540193/aws-iam-permissions-for-getobjects-in-one-s3-bucket-not-working

标签
amazon-web-services
amazon-s3
amazon-iam
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!