- 最新
- 最多得票
- 最多評論
You can use IAM policies attached to roles or users to define permissions. In your case, IAM roles synchronized with AD groups would be central. You can use policy variables to assign permissions dynamically. For instance, you can use ${aws:username} or custom attributes from SAML assertions (when users federate into AWS using an AD identity) as variables in your IAM policies to grant access based on AD group membership. The ${aws:username} variable is used to insert the federated user's username into the policy, and a hypothetical ${aws:groups} variable (you would replace this with the actual name of the SAML attribute you use) is used to ensure the user can only access folders in the bucket that match their AD group names.
Example IAM Policy
{ "Version": "2012-10-17", "Statement": [ { "Sid": "ListAllMyBuckets", "Effect": "Allow", "Action": "s3:ListAllMyBuckets", "Resource": "*" }, { "Sid": "LimitedAccessToSpecificBucket", "Effect": "Allow", "Action": "s3:*", "Resource": [ "arn:aws:s3:::company-bucket", "arn:aws:s3:::company-bucket/${aws:groups}/*" ], "Condition": { "StringLike": { "s3:prefix": [ "${aws:groups}/*", "${aws:groups}" ], "s3:delimiter": [ "/" ] } } } ] }
If this has answered your question or was helpful, accepting the answer would be greatly appreciated. Thank you!
If you want to access S3 objects through filesystem, FSx Lustre would provide POSIX compatible file system access.
https://aws.amazon.com/blogs/aws/enhanced-amazon-s3-integration-for-amazon-fsx-for-lustre/
相關內容
- AWS 官方已更新 2 年前
- AWS 官方已更新 2 年前