You can now use a condition in an S3 bucket policy to constrain the creation of S3 objects (using PutObject) to specific storage classes.
The current version of the AWS documentation has an example - Restrict object uploads to objects with a specific storage class.
Suppose Account A owns a bucket and the account administrator wants to restrict Dave, a user in Account A, to be able to only upload objects to the bucket that will be stored with the
STANDARD_IAstorage class. The Account A administrator can accomplish this by using thes3:x-amz-storage-classcondition key as shown in the following example bucket policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "statement1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AccountA-ID:user/Dave"
},
"Action": "s3:PutObject",
"Resource": [
"arn:aws:s3:::examplebucket/*"
],
"Condition": {
"StringEquals": {
"s3:x-amz-storage-class": [
"STANDARD_IA"
]
}
}
}
]
}
Your values for Principal and Resource would be specific to your users and S3 bucket(s). The Condition constraint would need to change to STANDARD.
恐怕没有,至少似乎没有记录 - 鉴于Amazon IAM策略设计,此约束需要通过 resp 来覆盖。健康)状况:
Condition 元素(或 Condition 块)允许您指定策略生效的条件。[...] 条件值可以包括日期、时间、请求者的 IP 地址、请求源的 ARN、用户名、用户 ID 和请求者的用户代理。有些服务允许您在条件中指定附加值;例如,Amazon S3 允许您使用 s3:VersionId 键编写条件,该键对于该服务是唯一的。[...] [强调我的]
现在,在策略中指定条件中的对象操作的 Amazon S3 条件键部分缺少对存储类的任何引用,而语义同级已经存在:s3:x-amz-server-side-encryption
授予 s3:PutObject 权限时,存储桶所有者可以使用此键添加条件,要求用户在请求中指定此标头。存储桶所有者可以授予此类条件权限,以确保用户上传的对象以加密方式保存。
考虑到这些标头所涉及的对称性(请参阅对象密钥和元数据中的系统定义元数据部分),您可能只想简单地尝试一下,也许您很幸运,它已经处于“私人测试版”中;)s3:x-amz-storage-class
| 归档时间: |
|
| 查看次数: |
1333 次 |
| 最近记录: |