针对完全访问优化了S3策略

我有以下政策：

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowUserToSeeBucketListInTheConsole", "Action": [ "s3:GetBucketLocation", "s3:ListAllMyBuckets" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::*" ] }, { "Sid": "AllooUserFullAccessToBucket", "Effect": "Allow", "Action": [ "s3:*" ], "Resource": [ "arn:aws:s3:::mybucket/*" ] } ] }

通过密钥/秘密（使用Cloudberry Explorer）访问存储桶时，我可以：

列出所有的桶
列表，下载，上传和删除到mybucket ，但只有当这个也是在地方桶权限 ：

在这里输入图像说明

要么

我需要添加另一个项目的策略，以消除桶级权限要求 ：

 { "Sid": "AllooUserFullAccessToBucketPre", "Effect": "Allow", "Action": [ "s3:*" ], "Resource": [ "arn:aws:s3:::mybucket" ] },

有没有语法可以使策略中只有2个项目（AllowUserToSeeBucketListInTheConsole和一个AllooUserFullAccessToBucket），同时不需要桶级别权限？

根据我的经验，制定一项政策只是授予对存储桶和内容的访问权，这是相当普遍的做法。

我通常会使用这样的策略（不希望允许此用户覆盖存储桶权限或删除存储桶等）：

 { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowS3Browse", "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:ListAllMyBuckets" ], "Resource": "*", }, { "Sid": "GrantS3BucketAccess", "Effect": "Allow", "Action": [ "s3:AbortMultipartUpload", "s3:DeleteObject*", "s3:Get*", "s3:List*", "s3:PutBucketAcl", "s3:PutObject", "s3:PutObjectAcl", "s3:RestoreObject" ], "Resource": [ "arn:aws:s3:::bucket", "arn:aws:s3:::bucket/*" ] } ] }

试试这个：

 { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:ListAllMyBuckets", "Resource": "arn:aws:s3:::*" }, { "Effect": "Allow", "Action": "s3:*", "Resource": [ "arn:aws:s3:::mybucket", "arn:aws:s3:::mybucket/*" ] }, { "Effect": "Deny", "NotAction": "s3:*", "NotResource": [ "arn:aws:s3:::mybucket", "arn:aws:s3:::mybucket/*" ] } ] }