amazon-web-services - 如何合并 AWS S3 存储桶策略？

问题描述

我们在生产中有一个现有的 S3 存储桶策略：

{
    "Version": "2012-10-17",
    "Id": "Policy[redacted]",
    "Statement": [
        {
            "Sid": "ServiceA access",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::[redacted]:root"
            },
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::mysite-production/*"
        },
        {
            "Sid": "ServiceA access",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::[redacted]:root"
            },
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::mysite-production"
        },
        {
            "Sid": "AllowPublicRead",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::mysite-production/*"
        }
    ]
}

我们要授予访问权限的另一个 3rd 方服务需要：

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:DeleteObject"
             ],
             "Resource": "arn:aws:s3:::YOUR_BUCKET_NAME/*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:GetBucketLocation"
            ],
            "Resource": "arn:aws:s3:::*"
        }
    ]
}

我已经尝试将ListAllMyBucketsand合并GetBucketLocation到我们原始政策的最后一部分，但会产生“政策无效行动”错误：

    {
        "Effect": "Allow",
        "Principal": {
            "AWS": "*"
        },
        "Action": [
            "s3:GetObject",
            "s3:PutObject",
            "s3:PutObjectAcl",
            "s3:DeleteObject"
         ],
         "Resource": "arn:aws:s3:::mysite-production/*"
    }

我怎样才能将这些合并成一个有凝聚力的政策？或者一个桶是否有可能有两个策略？

提前致谢！

标签： amazon-web-servicesamazon-s3amazon-iamcontent-security-policy