將S3設置爲類SFTP服務用於數據上傳

S3的一個好用的功能是能設置爲相似SFTP的共享文件夾讓用戶上傳數據，而已因爲S3不是一部機器而是雲原生服務，所以在維護上很是簡單，而已價錢便宜，很是適合於大量文件保存和共享。

設置的難點在於policy的設定，如下是步驟。

1. 進入IAM設置policy
   

具體策略以下，按須要修改

整個bucket full權限

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "S3:*",
      "Resource": "arn:aws:s3:::BUCKET/*",
      "Condition": {}
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket"
      ],
      "Resource": "arn:aws:s3:::BUCKET",
      "Condition": {}
    }
  ]
}

只容許bucket下某個文件夾full權限

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
         "s3:ListBucket",
         "s3:ListBucketMultipartUploads",
         "s3:ListBucketVersions"
       ],
      "Resource": "arn:aws:s3:::BUCKET",
      "Condition": {
        "StringLike": {
          "s3:prefix": "FOLDER/*"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action":  "s3:*" ,
      "Resource": "arn:aws:s3:::BUCKET/FOLDER/*",
      "Condition": {}
    }
  ]
}

給予存儲桶只讀權限

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "S3:ListBucket",
            "Resource": "arn:aws:s3:::bucket name",
            "Condition": {}
        },
        {
            "Effect": "Allow",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::bucket name/*",
            "Condition": {}
        }
    ]
}

只容許只讀訪問存儲桶下某個指定文件夾

{
  "Version": "2012-10-17",
  "Statement" : [{
    "Sid" : "GiveSimpleListAccessToSharedFolder",
    "Effect" : "Allow",
    "Action" : "s3:ListBucket",
    "Resource" : "arn:aws:s3:::BUCKET",
    "Condition" : {
        "StringLike" : {
       "s3:prefix": "FOLDER/*"
        }
    }
  },
  {
    "Sid" : "GiveReadAccessToSharedFolder",
    "Effect" : "Allow",
    "Action" : "s3:GetObject",
    "Resource" : "arn:aws:s3:::BUCKET/FOLDER/*"
  }]
}

2. 添加policy後，命名，而後保存

3. 返回IAM，點Group，添加組，

4. 設置與policy同樣的名字，便於識別

5. 將以前建立的policy添加到這個組上，等於設定後續用戶加入這個組所擁有的用戶訪問S3的權限

6. 完成後能夠開始建立添加用戶，返回IAM，點用戶

7. 勾選編程訪問

8. 添加用戶到對應權限組

完成後便可經過S3客戶端，例如Cloudberry, Cyberduck訪問，把產生的用戶IAM key添加到軟件便可，以下是Cloudberry界面截圖，跟SFTP訪問文件夾相似

注意的點，對於中國區S3 policy的權限設定，與外國區有點區別，具體policy以下。若是客戶端須要填寫S3 server地址，用這個：s3.cn-north-1.amazonaws.com.cn

存儲桶full權限

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowListBucketIfSpecificPrefixIsIncludedInRequest",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws-cn:s3:::bucket"
            ],
            "Condition": {}
        },
        {
            "Sid": "AllowUserToReadWriteObjectDataInDevelopmentFolder",
            "Action": [
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws-cn:s3:::bucket/*"
            ]
        }
    ]
}

full權限，可是沒有刪除權限

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowListBucketIfSpecificPrefixIsIncludedInRequest",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws-cn:s3:::BUCKET"
            ],
            "Condition": {
                "StringLike": {
                    "s3:prefix": "FOLDER/*"
                }
            }
        },
        {
            "Sid": "AllowUserToReadWriteObjectDataInDevelopmentFolder",
            "Action": [
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws-cn:s3:::BUCKET/FOLDER/*"
            ]
        }
    ]
}