阅读背景:

基于名称空间或标记的Amazon AWS S3 IAM策略

来源:互联网 

I have a number of buckets that start with the same namespace as in assets-<something>, so I was wondering what would be the best option to give rights to IAM group with minimal need to maintain it.

我有许多与assets中名称空间相同的bucket—— ,所以我想知道在最少需要维护的情况下,为IAM组授予权限的最佳选择是什么。

Is it possible to use any sort of regex in ARN? Or maybe I could use tags? EC2 has condition for ResourceTag, but it appears that it does not exist for S3.

是否可以在ARN中使用任何类型的regex ?或者我可以用标签?EC2有ResourceTag的条件,但是S3似乎不存在ResourceTag。

Or should I with each bucket add new ARN to the policy?

或者我是否应该在每个桶中添加新的ARN来执行该策略?

Again I am searching for the minimal solution so attaching new policy to each bucket itself seems to be a bit much.

我仍然在寻找最小的解决方案,所以将新策略附加到每个bucket本身似乎有点太大了。

2 个解决方案

#1


3  

An IAM policy can grant access to Amazon S3 buckets based on a wildcard.

IAM策略可以基于通配符授予对Amazon S3 bucket的访问权限。

For example, this policy grants permissions to list the contents of a bucket and retrieve an object from a bucket, but only if the bucket starts with assets-:

例如,此策略授予权限来列出bucket的内容并从bucket中检索对象,但仅当bucket以资产开头时——

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "SomeSID",
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket",
        "s3:GetObject"
      ],
      "Resource": [
        "arn:aws:s3:::assets-*",
        "arn:aws:s3:::assets-*/*"
      ]
    }
  ]
}

Note that the Resource section refers to both the bucket (for ListBucket) and the content of the bucket (for GetObject).

注意,资源部分引用bucket(用于ListBucket)和bucket的内容(用于GetObject)。

Wildcard also work elsewhere in the bucket name, eg: arn:aws:s3:::*-record

通配符也在bucket名称的其他地方工作,例如:arn:aws:s3:: *-记录。

It is not possible to grant access to Amazon S3 buckets based on Tags.

不可能基于标记授予对Amazon S3 bucket的访问权限。

ARN format

是格式

As an aside, if you're wondering why there are so many colons in the ARN (Amazon Resource Name) for an Amazon S3 bucket, it's because the normal format for an ARN is:

顺便提一下,如果您想知道为什么Amazon S3 bucket的ARN (Amazon资源名)中有这么多的冒号,那是因为ARN的正常格式是:

arn:aws:<service name>:<region>:<account>:<resource>

In the case of an Amazon S3 bucket, the region and account can be discerned from the bucket name (which is globally unique), so those parameters are left blank.

对于Amazon S3桶,可以从桶名(全局惟一)中识别区域和帐户,因此这些参数为空。

#2


0  

Yes indeed it appears I can use IAM policy with ARN arn:aws:s3:::assets-* and arn:aws:s3:::assets-*/*

是的,看来我可以用ARN ARN ARN:aws::::assets-*和ARN:aws:s3:::assets-*/*来使用IAM策略


分享到: