Amazon Web Services:设置S3策略以允许putObject和getObject但拒绝listBucket
[英]Amazon Web Services : Setting S3 policy to allow putObject and getObject but deny listBucket
问题描述
I am using getObject and putObject requests on Amazon S3 and in creating a policy for access to the bucket I discovered that if I don't allow listBucket I get an 'access denied' error. 
我在Amazon S3上使用getObject和putObject请求,并在创建访问存储桶的策略时发现,如果我不允许listBucket,我会收到“访问被拒绝”错误。
The problem with this is that listBucket means a user can list the keys in a bucket and this presents a security threat. 这样的问题是listBucket意味着用户可以列出存储桶中的密钥,这会带来安全威胁。
Is it possible to allow getObject and putObject without allowing listBucket? 是否可以在不允许listBucket的情况下允许getObject和putObject? or is there a workaround for this? 或者有解决方法吗?
Here is the policy: 这是政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt##",
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::myBucket"
]
},
{
"Sid": "Stmt##",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::myBucket/*"
]
}
]
}
1 个解决方案
解决方案1
4 已采纳 2014-12-23 17:51:59
From the Get Object documentation : 从Get Object文档 :
You need the
s3:GetObjectpermission for this operation.s3:GetObject权限才能执行此操作。 For more information, go to Specifying Permissions in a Policy in the Amazon Simple Storage Service Developer Guide.s3:ListBucketpermission.s3:ListBucket权限。
I've confirmed this behavior by editing a policy that was essentially identical to yours. 我已经通过编辑与您的策略基本相同的策略来确认此行为。
I am able to get an existing object without trouble, whether or not I have the s3:ListBucket privilege , as long as I have the s3:GetObject privilege. 我能够毫无困难地获得现有对象,无论我是否具有s3:ListBucket权限 ,只要我具有s3:GetObject权限。
The behavior changes only if I don't also have the s3:ListBucket privilege, and I request an object that does not exist . 仅当我还没有s3:ListBucket权限时,行为才会更改,并且我请求一个不存在的对象 。 In that case, S3 will not admit to me whether that object exists -- I'm denied access to knowledge about the existence of the object, since I'm not authorized to see the list. 在这种情况下,S3不会向我承认该对象是否存在 - 我被拒绝访问有关对象存在的知识,因为我无权查看该列表。
Response for a valid request to a nonexistent object, without s3:ListBucket : 响应对不存在的对象的有效请求, 没有 s3:ListBucket :
<Error>
<Code>AccessDenied</Code>
<Message>Access Denied</Message>
<RequestId>xxxx</RequestId>
<HostId>xxxx</HostId>
</Error>
Response for a valid request for the same nonexistent object, with s3:ListBucket : 响应对同一个不存在的对象的有效请求, 使用 s3:ListBucket :
<Error>
<Code>NoSuchKey</Code>
<Message>The specified key does not exist.</Message>
<Key>fakefile.txt</Key>
<RequestId>xxxx</RequestId>
<HostId>xxxx</HostId>
</Error>
So, on objects that don't actually exist, "access denied" is the expected response without s3:ListBucket . 因此,对于实际不存在的对象,“访问被拒绝”是没有s3:ListBucket的预期响应。 Otherwise, it works as expected. 否则,它按预期工作。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.