授予 Amazon S3 批次操作的許可 - Amazon Simple Storage Service

本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。

授予 Amazon S3 批次操作的許可

建立和執行 S3 批次操作任務之前,您必須授予必要的權限。若要建立 Amazon S3 批次操作任務,則必須具備 s3:CreateJob 使用者許可。建立工作的同一個實體也必須具有將為工作指定的 AWS Identity and Access Management (IAM) 角色傳遞給 Batch 作業的iam:PassRole權限。

有關指定 IAM 資源的一般資訊,請參閱《IAM 使用者指南》中的 IAM JSON 政策、資源元素。以下各節提供有關建立 IAM 角色和連接政策的資訊。

建立 S3 批次操作 IAM 角色

Amazon S3 必須擁有代表您執行 S3 批次操作的許可。您可以透過 AWS Identity and Access Management (IAM) 角色授予這些許可。此區段提供您在建立 IAM 角色時使用的信任和許可政策的範例。如需詳細資訊,請參閱《IAM 使用者指南》中的 IAM 角色。如需範例,請參閱 使用任務標籤控制 S3 批次作業的許可使用 S3 批次操作複製物件

在您的 IAM 政策中,您也可以使用條件金鑰來篩選 S3 批次操作任務的存取許可。如需詳細資訊和 Amazon S3 特定條件金鑰的完整清單,請參閱服務授權參考適用於 Amazon S3 的動作、資源和條件金鑰

下列影片包括如何使用 AWS Management Console,為批次操作任務設定 IAM 許可。

信任政策

若要允許 S3 批次操作服務主體擔任 IAM 角色,請將下列信任政策連接到該角色。

{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Principal":{ "Service":"batchoperations.s3.amazonaws.com" }, "Action":"sts:AssumeRole" } ] }

連接許可政策

根據操作類型,您可以附加下列其中一種政策。

在設定許可之前,請注意下列事項:

  • 無論是哪一種操作,Amazon S3 都需要許可才能從 S3 儲存貯體中讀取資訊清單物件,並選擇性地將報告寫入儲存貯體。因此,所有下列政策都包含這些許可。

  • 針對 Amazon S3 庫存報告資訊清單,S3 批次操作需要讀取 manifest.json 物件與所有相關聯 CSV 資料檔案的許可。

  • 只有在指定物件的版本 ID 時才需要版本特定的許可 (如 s3:GetObjectVersion)。

  • 如果您在加密物件上執行 S3 Batch 操作,IAM 角色也必須能夠存取用於加密物件的 AWS KMS 金鑰。

  • 如果您提交使用加密的庫存報告資訊清單 AWS KMS,您的 IAM 政策必須包含許可,以"kms:Decrypt""kms:GenerateDataKey"清單 .json 物件和所有相關聯的 CSV 資料檔案。

複製物件: PutObject

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:PutObject", "s3:PutObjectAcl", "s3:PutObjectTagging" ], "Effect": "Allow", "Resource": "arn:aws:s3:::DestinationBucket/*" }, { "Action": [ "s3:GetObject", "s3:GetObjectAcl", "s3:GetObjectTagging", "s3:ListBucket" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::SourceBucket", "arn:aws:s3:::SourceBucket/*" ] }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": [ "arn:aws:s3:::ManifestBucket/*" ] }, { "Effect": "Allow", "Action": [ "s3:PutObject" ], "Resource": [ "arn:aws:s3:::ReportBucket/*" ] } ] }

取代物件標記: PutObjectTagging

{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "s3:PutObjectTagging", "s3:PutObjectVersionTagging" ], "Resource": "arn:aws:s3:::TargetResource/*" }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": [ "arn:aws:s3:::ManifestBucket/*" ] }, { "Effect":"Allow", "Action":[ "s3:PutObject" ], "Resource":[ "arn:aws:s3:::ReportBucket/*" ] } ] }

刪除物件標記: DeleteObjectTagging

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:DeleteObjectTagging", "s3:DeleteObjectVersionTagging" ], "Resource": [ "arn:aws:s3:::TargetResource/*" ] }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": [ "arn:aws:s3:::ManifestBucket/*" ] }, { "Effect": "Allow", "Action": [ "s3:PutObject" ], "Resource": [ "arn:aws:s3:::ReportBucket/*" ] } ] }

取代存取控制清單: PutObjectAcl

{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "s3:PutObjectAcl", "s3:PutObjectVersionAcl" ], "Resource": "arn:aws:s3:::TargetResource/*" }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": [ "arn:aws:s3:::ManifestBucket/*" ] }, { "Effect":"Allow", "Action":[ "s3:PutObject" ], "Resource":[ "arn:aws:s3:::ReportBucket/*" ] } ] }

還原物件: RestoreObject

{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "s3:RestoreObject" ], "Resource": "arn:aws:s3:::TargetResource/*" }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": [ "arn:aws:s3:::ManifestBucket/*" ] }, { "Effect":"Allow", "Action":[ "s3:PutObject" ], "Resource":[ "arn:aws:s3:::ReportBucket/*" ] } ] }

套用物件鎖定保留: PutObjectRetention

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:GetBucketObjectLockConfiguration", "Resource": [ "arn:aws:s3:::TargetResource" ] }, { "Effect": "Allow", "Action": [ "s3:PutObjectRetention", "s3:BypassGovernanceRetention" ], "Resource": [ "arn:aws:s3:::TargetResource/*" ] }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": [ "arn:aws:s3:::ManifestBucket/*" ] }, { "Effect": "Allow", "Action": [ "s3:PutObject" ], "Resource": [ "arn:aws:s3:::ReportBucket/*" ] } ] }
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:GetBucketObjectLockConfiguration", "Resource": [ "arn:aws:s3:::TargetResource" ] }, { "Effect": "Allow", "Action": "s3:PutObjectLegalHold", "Resource": [ "arn:aws:s3:::TargetResource/*" ] }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": [ "arn:aws:s3:::ManifestBucket/*" ] }, { "Effect": "Allow", "Action": [ "s3:PutObject" ], "Resource": [ "arn:aws:s3:::ReportBucket/*" ] } ] }

複寫現有物件: InitiateReplication 使用 S3 產生的資訊清單

如果使用和存放 S3 產生的資訊清單,請使用此政策。如需使用批次操作來複寫現有物件的詳細資訊,請參閱使用 S3 批次複寫來複寫現有物件

{ "Version":"2012-10-17", "Statement":[ { "Action":[ "s3:InitiateReplication" ], "Effect":"Allow", "Resource":[ "arn:aws:s3:::*** replication source bucket ***/*" ] }, { "Action":[ "s3:GetReplicationConfiguration", "s3:PutInventoryConfiguration" ], "Effect":"Allow", "Resource":[ "arn:aws:s3:::*** replication source bucket ***" ] }, { "Action":[ "s3:GetObject", "s3:GetObjectVersion" ], "Effect":"Allow", "Resource":[ "arn:aws:s3:::*** manifest bucket ***/*" ] }, { "Effect":"Allow", "Action":[ "s3:PutObject" ], "Resource":[ "arn:aws:s3:::*** completion report bucket ****/*", "arn:aws:s3:::*** manifest bucket ****/*" ] } ] }

複製現有物件: InitiateReplication 使用使用者資訊清單

如果使用使用者提供的資訊清單,請使用此政策。如需使用批次操作來複寫現有物件的詳細資訊,請參閱使用 S3 批次複寫來複寫現有物件

{ "Version":"2012-10-17", "Statement":[ { "Action":[ "s3:InitiateReplication" ], "Effect":"Allow", "Resource":[ "arn:aws:s3:::*** replication source bucket ***/*" ] }, { "Action":[ "s3:GetObject", "s3:GetObjectVersion" ], "Effect":"Allow", "Resource":[ "arn:aws:s3:::*** manifest bucket ***/*" ] }, { "Effect":"Allow", "Action":[ "s3:PutObject" ], "Resource":[ "arn:aws:s3:::*** completion report bucket ****/*" ] } ] }