Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅
中国的 Amazon Web Services 服务入门
(PDF)。
目录存储桶的存储桶策略示例
本节提供存储桶策略示例。要使用这些策略,请将 user input placeholders
以下示例存储桶策略允许 Amazon Web Services 账户 ID 111122223333ReadWrite 会话中使用 CreateSession API 操作。此策略授予对可用区端点(对象级)API 操作的访问权限。
例 – 允许通过默认 ReadWrite 会话执行 CreateSession 调用的存储桶策略
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ReadWriteAccess",
"Effect": "Allow",
"Resource": "arn:aws:s3express:us-west-2:111122223333:bucket/amzn-s3-demo-bucket--usw2-az1--x-s3",
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:root"
]
},
"Action": [
"s3express:CreateSession"
]
}
]
}
例 – 允许通过 ReadOnly 会话执行 CreateSession 调用的存储桶策略
以下示例存储桶策略允许 Amazon Web Services 账户 ID 111122223333CreateSession API 操作。此策略使用 s3express:SessionMode 条件键以及 ReadOnly 值来设置只读会话。
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ReadOnlyAccess",
"Effect": "Allow",
"Principal": {
"AWS": "111122223333"
},
"Action": "s3express:CreateSession",
"Resource": "*",
"Condition": {
"StringEquals": {
"s3express:SessionMode": "ReadOnly"
}
}
}
]
}
例 – 允许 CreateSession 调用进行跨账户访问的存储桶策略
以下示例存储桶策略允许 Amazon Web Services 账户 ID 111122223333444455556666CreateSession API 操作。
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "CrossAccount",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": [
"s3express:CreateSession"
],
"Resource": "arn:aws:s3express:us-west-2:444455556666:bucket/amzn-s3-demo-bucket--usw2-az1--x-s3"
}
]
}