{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:ListAccessPointsForObjectLambda",
"s3:GetAccessPoint",
"s3:PutAccountPublicAccessBlock",
"s3:ListAccessPoints",
"s3:CreateStorageLensGroup",
"s3:ListJobs",
"s3:PutStorageLensConfiguration",
"s3:ListMultiRegionAccessPoints",
"s3:ListStorageLensGroups",
"s3:ListStorageLensConfigurations",
"s3:GetAccountPublicAccessBlock",
"s3:ListAllMyBuckets",
"s3:ListAccessGrantsInstances",
"s3:PutAccessPointPublicAccessBlock",
"s3:CreateJob"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::bucket-a",
"arn:aws:s3:::bucket-a/*",
"arn:aws:s3:::bucket-b*",
"arn:aws:s3:::bucket-b*/*",
]
}
]
}
- Resource单独设置arn:aws:s3:::bucket-a,会无法创建文件夹,因为没有存储桶中的对象的s3:PutObject权限
- Resource单独设置arn:aws:s3:::bucket-a/*,会无法查看存储桶bucket-a,因为没有存储桶本身的一些权限
- arn:aws:s3:::bucket-a:这个 ARN 指的是存储桶本身。它通常用于需要对存储桶进行操作的权限,例如列出存储桶中的对象(s3:ListBucket)
- arn:aws:s3:::bucket-a/*:这个 ARN 指的是存储桶中的所有对象。它用于对存储桶中的具体对象进行操作的权限,例如上传(s3:PutObject)和删除(s3:DeleteObject)对象。
- arn:aws:s3:::bucket-b*可访问名字是bucket-b开头的存储桶
- 把此权限附加给某iam用户user1,某ec2实例i1没有bucket-a的访问权限,那么user1无法在i1里访问bucket-a
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
