s3存储桶中的我的映像可供公众访问,这不应该是
[英]My image in s3 bucket is accessible to public which is not supposed to be
问题描述
I am facing a very strange issue which is either my lack of knowledge or a bug in aws s3 : 
我面临一个非常奇怪的问题,要么是我缺乏知识,要么是aws s3中的错误:
So I create an s3bucket which is not accessible to anyone in public and then I put an image in it. 因此,我创建了一个s3bucket,任何人在公共场合都无法访问它,然后在其中放入一个图像。 So when I try that image that is definitely no visible to everyone which is good.(So both my bucket and image have no public access) Then I added the following bucket policy to it: 因此,当我尝试对所有人都绝对不可见的图像时(因此我的存储桶和图像都没有公共访问权限),然后在其中添加了以下存储桶策略:
{
"Version": "2012-10-17",
"Id": "Policy1506624486110",
"Statement": [
{
"Sid": "Stmt1506624421375",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::mybucketname/*"
}
]
}
At this point based on my understanding all aws resources are accessible to this image but not any other people in the public. 基于我的理解,此图像上的所有aws资源均可访问,但公众中其他任何人都无法访问。 Strangely I see that people in public, any stranger can access this image. 奇怪的是,我看到公众中的任何陌生人都可以访问此图像。 Can anyone explain what that bucket policy magically does that it make it available to public? 任何人都可以神奇地解释该存储桶策略使它对公众可用吗?
2 个解决方案
解决方案1
1 已采纳 2017-10-01 15:26:10
You're explicitly making your bucket public. 您明确地将自己的存储桶公开。
To grant permission to everyone, also referred as anonymous access, you set the wildcard, "*", as the Principal value.
"Principal":"*"
"Principal":{"AWS":"*"}http://docs.aws.amazon.com/AmazonS3/latest/dev/s3-bucket-user-policy-specifying-principal-intro.html
The option of either using the "AWS" at the "beginning" (as the object key in a JSON object) or the bare scalar string "*" is presumably for historical reasons, one being an older or newer form than the other, but that doesn't appear to be documented. 可能是出于历史原因,选择在“开始"AWS"处使用"AWS" (作为JSON对象中的对象键)还是使用纯标量字符串"*" ,一种是比另一种旧或新的形式,但是似乎没有记录。 The object key refers to an authority type, with other documented values including "CanonicalUser" , "Federated" , and "Service" . 对象密钥是一种授权类型,具有其他记录的值,包括"CanonicalUser" , "Federated"和"Service" 。
There are very few valid use cases for using "*" in a policy, unless additional condition tests in the policy are used to narrow the policy's scope. 除非在策略中使用其他条件测试来缩小策略的范围,否则在策略中使用"*"有效用例很少。
Note also that the * is not a true wildcard, here. 另请注意,此处的*不是真正的通配符。 It's only a placeholder for "everyone." 它只是“所有人”的占位符。 You can't use it in a principal to match a portion of an ARN. 您不能在主体中使用它来匹配ARN的一部分。 For example, "AWS": [ "arn:aws:iam:account-id:user/*" ] does not mean all IAM users in the specified account. 例如, "AWS": [ "arn:aws:iam:account-id:user/*" ]并不意味着指定帐户中的所有IAM用户。
The best practice recommendation is not to use bucket policies when the desired action can be accomplished with user or role policies. 最佳实践建议是当可以通过用户或角色策略完成所需的操作时,不要使用存储桶策略。
解决方案2
0 2017-09-29 14:49:30
You should be specific to the principal. 您应该特定于校长。 You can give multiple ARN's instead of '*'. 您可以给多个ARN而不是'*'。 You bucket policy generator to generate policy and specify which ARN you want in the principal. 您可以对策略生成器进行存储以生成策略,并在主体中指定所需的ARN。 It would be worth read below link, 值得阅读下面的链接,
http://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html http://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.