(1) case1:只允許IAM用戶通過API或者s3cmd命令行工具訪問特定S3 bucket
{
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:ListBucket" ],
"Resource": [ "arn:aws:s3:::mod-backup"]
},
{
"Effect": "Allow",
"Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject"],
"Resource": [ "arn:aws:s3:::mod-backup/*"]
}
]
}
這樣雖然直接 s3cmd ls會報Access Deny,但是s3cmd ls s3://mod-backup還是可以看到的
(2) case2: 使用CloudBerry這類圖形化工具,只允許用戶訪問特定的S3bucket或者特定目錄
IAM user的授權跟API方式的一樣
{
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:ListBucket" ],
"Resource": [ "arn:aws:s3:::mod-backup"]
},
{
"Effect": "Allow",
"Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject"],
"Resource": [ "arn:aws:s3:::mod-backup/*"]
}
]
}
在配置CloudBerry的時候,通過配置External Bucket來只顯示該Bucket或者某個目錄
<1>配置整個bucket是External Bucket填寫bucket name,例如mod-backup
<2>若只有改Bucket下某個目錄的權限,就填寫mod-backup/wangfei
(3) case3: 允許IAM用戶通過AWS console(web管理頁面)訪問且僅能訪問特定S3 bucket
{
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:GetBucketLocation", "s3:ListAllMyBuckets"],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": ["s3:ListBucket" ],
"Resource": [ "arn:aws:s3:::mod-backup"]
},
{
"Effect": "Allow",
"Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject"],
"Resource": [ "arn:aws:s3:::mod-backup/*"]
}
]
}
這樣IAM用戶只能讀寫mod-backup這個bucket,但是又個問題,雖然其他的bucket無權限訪問到,但是在bucket列表中依然能看到,但看不到裏面的內容。修改成
"Action": ["s3:GetBucketLocation", "s3:ListAllMyBuckets"],
"Resource": "arn:aws:s3:::mod-backup"
這樣也不行,這樣什麼bucket都列舉不出來,因爲s3:GetBucketLocation這個api操作的對象只能是AllBucket。