问题
I have two users User1 and User2 that each have an IAM account in AWS. I have an s3 bucket "external_bucket.frommycompany.com". In that bucket is a folder for each user account "User1" and "User2". I want to grant R/W access to User1 to the User1 folder only and R/W access to User2 to the User2 folder only. I don't want them to be able to see each others' folders in the root directory of external_bucket.frommycompany.com. Is there a way to set up their IAM Policies such that this is possible?
My goal is to enable our users to connect to the S3 bucket from an S3 browser app like cloudberry so they can upload and download files to their folders only.
Any advice on the best design for this is welcome.
回答1:
From here
Something like this should work to allow User1 to only access User1's folder:
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowUserToSeeBucketListInTheConsole",
"Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::*"]
},
{
"Sid": "AllowRootAndHomeListingOfCompanyBucket",
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::my-company"],
"Condition":{"StringEquals":{"s3:prefix":["","/"],"s3:delimiter":["/"]}}
},
{
"Sid": "AllowListingOfUserFolder",
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::my-company"],
"Condition":{"StringLike":{"s3:prefix":["user1/*"]}}
},
{
"Sid": "AllowAllS3ActionsInUserFolder",
"Effect": "Allow",
"Action": ["s3:*"],
"Resource": ["arn:aws:s3:::user1/*"]
}
]
}
Apply that as User1's policy, and they should only be able to access the user1/ folder. The "s3:prefix":["","/"]... part can probably be changed, but I'm not familiar enough with the policy language to know how.
If you substitute user2 for user1 in User2's policy, User2 should only be able to access the user2/ folder, and so on.
回答2:
This is the official answer to your question.
Example: Allow each IAM user access to a folder in a bucket
In this example, you want two IAM users, Alice and Bob, to have access to your bucket, examplebucket, so they can add, update, and delete objects. However, you want to restrict each user’s access to a single folder in the bucket. You might create folders with names that match the user names.
回答3:
The use of policy variables is really a game changer if you aren't doing this today.
See this example in S3 policy examples:
Instead of attaching policies to individual users, though, you can write a single policy that uses a policy variable and attach the policy to a group. You will first need to create a group and add both Alice and Bob to the group. The following example policy allows a set of Amazon S3 permissions in the
examplebucket/${aws:username}folder. When the policy is evaluated, the policy variable${aws:username}is replaced by the requester's user name. For example, if Alice sends a request to put an object, the operation is allowed only if Alice is uploading the object to theexamplebucket/Alicefolder.{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "s3:PutObject", "s3:GetObject", "s3:GetObjectVersion", "s3:DeleteObject", "s3:DeleteObjectVersion" ], "Resource":"arn:aws:s3:::examplebucket/${aws:username}/*" } ] }
来源:https://stackoverflow.com/questions/39758851/how-to-set-up-s3-policies-for-multiple-iam-users-such-that-each-individual-only