我們需要創建一個允許我們在客戶的S3賬戶中訪問存儲區的IAM用戶(前提是他們允許我們訪問這些存儲區)。S3 IAM訪問其他賬戶的政策
我們已經創建了一個IAM用戶在我們的帳戶與以下在線政策:
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:PutObjectAcl",
"s3:ListMultipartUploadParts",
"s3:PutObject",
"s3:ListBucketMultipartUploads",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::*"
}
]
}
除此之外,我們將要求我們的客戶使用下面的策略,並將其應用到自己的相關鬥:
{
"Version": "2008-10-17",
"Id": "Policy1416999097026",
"Statement": [
{
"Sid": "Stmt1416998971331",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::229569340673:user/our-iam-user"
},
"Action": [
"s3:AbortMultipartUpload",
"s3:PutObjectAcl",
"s3:ListMultipartUploadParts",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::client-bucket-name/*"
},
{
"Sid": "Stmt1416999025675",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::229569340673:user/our-iam-user"
},
"Action": [
"s3:ListBucketMultipartUploads",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::client-bucket-name"
}
]
}
雖然這一切似乎做工精細,我們已經發現了一個重要問題是我們自己內部的直列政策似乎充分使用我們-IAM用戶所有我們自己的內部桶。
我們是否錯配了某些東西,或者我們在這裏丟失了其他明顯的東西?
如果外部賬戶授予您賬戶中特定IAM用戶的權限,第一項政策似乎不必要你能刪除它並確認嗎? –