Calling-日常筆記: 3月 2020

2020年3月18日星期三

AWS S3 情境 - Part 2 : Set I AM Policy Access S3 Bucket (RW)

配置I AM 客製化Poliy : 只能訪問特定bucket

1. 新增客製化Poliy (使用json格式)

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObjectVersion",
"s3:DeleteObject",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3:::yourbucket/*"
}
]
}

2. 把客製化Poliy連結到新建的使用者中

3. 下載AWS CLI ,輸入上述新增使用者的Access key ID , Secret access key ,即可取得已配置的權限.

4. 經測試發現並無List Object的權限 , 需要新增ListBucket才能取得List Object的權限.
將json修改為下列後. aws s3 ls s3://yourbucket 回應正常
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObjectVersion",
"s3:DeleteObject",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3:::god-res/*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::*"
}
]
}

參考文件:
https://docs.aws.amazon.com/zh_tw/AmazonS3/latest/dev/example-policies-s3.html#iam-policy-ex0

AWS S3 情境 - Part 1 : Set S3 Public Access

配置S3 Public Access

1. Ceate New S3 Bucket Name: YourBucket . (預設封鎖公開設定)

2. 取消封鎖公開存取設定

3. 新增儲存個體政策
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicReadGetObject",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::yourbucket/*"
}
]
}

4. 測試檔案上傳後是否可以直接訪問 / 下載 .

s3預設路徑根據你放置的國家 , 我這邊是把s3放在東京所以訪問的url根目錄是下列

https://yourbucket.s3-ap-northeast-1.amazonaws.com

參考文件:
https://docs.aws.amazon.com/zh_tw/AmazonS3/latest/user-guide/block-public-access-bucket.html
https://docs.aws.amazon.com/zh_tw/AmazonS3/latest/dev/WebsiteAccessPermissionsReqd.html

2020年3月18日 星期三

AWS S3 情境 - Part 2 : Set I AM Policy Access S3 Bucket (RW)

AWS S3 情境 - Part 1 : Set S3 Public Access

2020年3月18日星期三