{ "Statement": [ { "Effect": "Allow", "Action": ["s3:ListBucket" ], "Resource": [ "arn:aws:s3:::mod-backup"] }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject"], "Resource": [ "arn:aws:s3:::mod-backup/*"] } ] }這樣雖然直接 s3cmd ls會報Access Deny,但是s3cmd ls s3://mod-backup還是可以看到的
{ "Statement": [ { "Effect": "Allow", "Action": ["s3:ListBucket" ], "Resource": [ "arn:aws:s3:::mod-backup"] }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject"], "Resource": [ "arn:aws:s3:::mod-backup/*"] } ] }
{ "Statement": [ { "Effect": "Allow", "Action": ["s3:GetBucketLocation", "s3:ListAllMyBuckets"], "Resource": "arn:aws:s3:::*" }, { "Effect": "Allow", "Action": ["s3:ListBucket" ], "Resource": [ "arn:aws:s3:::mod-backup"] }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject"], "Resource": [ "arn:aws:s3:::mod-backup/*"] } ] }這樣IAM用戶只能讀寫mod-backup這個bucket,但是又個問題,雖然其他的bucket無權限訪問到,但是在bucket列表中依然能看到,但看不到裏面的內容。修改成
"Action": ["s3:GetBucketLocation", "s3:ListAllMyBuckets"], "Resource": "arn:aws:s3:::mod-backup"這樣也不行,這樣什麼bucket都列舉不出來,因爲s3:GetBucketLocation這個api操作的對象只能是AllBucket。