amazon-web-services - AWS CLI 仅列出授权存储桶
问题描述
我的帐户中有 3 个存储桶 A、B 和 C。我创建了一个限制 IAM 用户访问特定存储桶的策略。这是政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::A"
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::A/*"
}
]
}
将此策略应用于 IAM 用户后,我尝试将aws s3 ls
命令与凭证一起使用。
# list buckets
➜ aws s3 ls
2020-06-20 03:54:56 A
2020-06-20 03:54:56 B
2020-06-20 03:54:56 C
➜ aws s3 ls s3://A
PER sub-foler/
➜ aws s3 ls s3://B
An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied
看起来它成功地限制了 A 以外的存储桶中的用户访问。但是用户仍然可以看到其他存储桶的存在,例如 B 和 C。
是否可以限制用户仅列出授权给它的存储桶(即A)?
解决方案
该s3:ListAllMyBuckets
权限授予列出 AWS 账户中的存储桶的能力。
所有的桶都将被退回。无法限制返回哪些桶。
如果您不希望用户看到其他存储桶的列表,则不要让他们能够列出存储桶名称。
推荐阅读
- python - 为什么我需要 web api 来链接 django 和其他 js 框架
- django - Wagtail 博客示例导致没有属性“_default_manager”
- c++ - 如何设置 CMakeLists.txt 以正确导入 AntTweakBar 库?
- python - how module/function is imported and how to know which keywords can be passed to built-in functions
- ios - Build IOS in flutter it's showing GeneratedPluginRegistrant.m Plugin headers not found ex :(#import
) - c++ - How to integrate windows/Internet explorer's internet properties options and proxy?
- javascript - How to fix eslint prefer-destructuring if we want to override defined variable?
- android - Getting notification in the future which has been scheduled for specific dates
- realm - javascript ream.close() not closing, stopped
- string - Why does open with :w and :append still overwrite the file?