Sun*_*arc 8 amazon-s3 amazon-web-services
我有一个装满内容的桶,大部分都是公开的.但是,有一个文件夹(也称为"前缀")只能由经过身份验证的IAM用户访问.
{
"Statement": [
{
"Sid": "AllowIAMUser",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::bucket/prefix1/prefix2/private/*",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:user/bobbydroptables"
]
}
},
{
"Sid": "AllowAccessToAllExceptPrivate",
"Action": [
"s3:GetObject",
"s3:GetObjectVersion"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::bucket/*",
"Condition": {
"StringNotLike": {
"s3:prefix": "prefix1/prefix2/private/"
}
},
"Principal": {
"AWS": [
"*"
]
}
}
]
}
当我尝试保存此策略时,我从AWS收到以下错误消息:
Conditions do not apply to combination of actions and resources in statement -
Condition "s3:prefix"
and action "s3:GetObject"
in statement "AllowAccessToAllExceptPrivate"
显然,此错误特别适用于第二个语句.是否无法在"s3:GetObject"操作中使用"s3:prefix"条件?
是否可以获取公共存储桶的一部分并使其仅对经过身份验证的用户可访问?
如果重要,只能通过api以只读方式访问此存储桶.
此问题类似于仅适用于公共限制的Amazon S3存储桶策略,但我尝试采用不同的方法来解决问题.
Sun*_*arc 20
在对AWS文档进行了大量挖掘,以及在策略编辑器中进行了许多尝试和错误排列后,我认为我找到了一个合适的解决方案.
显然,AWS提供了一个名为NotResource的选项(当前未在策略生成器中找到).
The NotResource element lets you grant or deny access to all but a few
of your resources, by allowing you to specify only those resources to
which your policy should not be applied.
有了这个,我甚至不需要玩弄条件.这意味着以下语句将在存储桶策略中起作用:
{
"Sid": "AllowAccessToAllExceptPrivate",
"Action": [
"s3:GetObject",
"s3:GetObjectVersion"
],
"Effect": "Allow",
"NotResource": [
"arn:aws:s3:::bucket/prefix1/prefix2/private/*",
"arn:aws:s3:::bucket/prefix1/prefix2/private"
],
"Principal": {
"AWS": [
"*"
]
}
}
| 归档时间: |
|
| 查看次数: |
5032 次 |
| 最近记录: |