您只允许他们ListAllMyBuckets
,这意味着他们只能列出您的存储桶的名称,而不能执行任何其他操作。
如果您已经为他们创建了 IAM 用户,那么向他们提供此策略将允许他们列出和检索其文件,但只能从给定目录(或者更准确地说,使用给定前缀):
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::my-bucket"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"recordings/123/*"
]
}
}
},
{
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::my-bucket/recordings/123/*"
]
}
]
}
如果您经常与客户这样做,那么您可以使用IAM 策略变量 http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html创建替换用户名的规则:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::my-bucket"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"recordings/${aws:username}/*"
]
}
}
},
{
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::my-bucket/recordings/${aws:username}/*"
]
}
]
}