[英]My image in s3 bucket is accessible to public which is not supposed to be
I am facing a very strange issue which is either my lack of knowledge or a bug in aws s3 : 我面临一个非常奇怪的问题,要么是我缺乏知识,要么是aws s3中的错误:
So I create an s3bucket which is not accessible to anyone in public and then I put an image in it. 因此,我创建了一个s3bucket,任何人在公共场合都无法访问它,然后在其中放入一个图像。 So when I try that image that is definitely no visible to everyone which is good.(So both my bucket and image have no public access) Then I added the following bucket policy to it: 因此,当我尝试对所有人都绝对不可见的图像时(因此我的存储桶和图像都没有公共访问权限),然后在其中添加了以下存储桶策略:
{
"Version": "2012-10-17",
"Id": "Policy1506624486110",
"Statement": [
{
"Sid": "Stmt1506624421375",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::mybucketname/*"
}
]
}
At this point based on my understanding all aws resources are accessible to this image but not any other people in the public. 基于我的理解,此图像上的所有aws资源均可访问,但公众中其他任何人都无法访问。 Strangely I see that people in public, any stranger can access this image. 奇怪的是,我看到公众中的任何陌生人都可以访问此图像。 Can anyone explain what that bucket policy magically does that it make it available to public? 任何人都可以神奇地解释该存储桶策略使它对公众可用吗?
You're explicitly making your bucket public. 您明确地将自己的存储桶公开。
To grant permission to everyone, also referred as anonymous access, you set the wildcard, "*", as the Principal value. 要向所有人授予权限(也称为匿名访问),请将通配符“ *”设置为Principal值。 For example, if you configure your bucket as a website, you want all the objects in the bucket to be publicly accessible. 例如,如果将存储桶配置为网站,则希望该存储桶中的所有对象均可公开访问。 The following are equivalent: 以下是等效的:
"Principal":"*"
"Principal":{"AWS":"*"}
http://docs.aws.amazon.com/AmazonS3/latest/dev/s3-bucket-user-policy-specifying-principal-intro.html http://docs.aws.amazon.com/AmazonS3/latest/dev/s3-bucket-user-policy-specifying-principal-intro.html
The option of either using the "AWS"
at the "beginning" (as the object key in a JSON object) or the bare scalar string "*"
is presumably for historical reasons, one being an older or newer form than the other, but that doesn't appear to be documented. 可能是出于历史原因,选择在“开始"AWS"
处使用"AWS"
(作为JSON对象中的对象键)还是使用纯标量字符串"*"
,一种是比另一种旧或新的形式,但是似乎没有记录。 The object key refers to an authority type, with other documented values including "CanonicalUser"
, "Federated"
, and "Service"
. 对象密钥是一种授权类型,具有其他记录的值,包括"CanonicalUser"
, "Federated"
和"Service"
。
There are very few valid use cases for using "*"
in a policy, unless additional condition tests in the policy are used to narrow the policy's scope. 除非在策略中使用其他条件测试来缩小策略的范围,否则在策略中使用"*"
有效用例很少。
Note also that the *
is not a true wildcard, here. 另请注意,此处的*
不是真正的通配符。 It's only a placeholder for "everyone." 它只是“所有人”的占位符。 You can't use it in a principal to match a portion of an ARN. 您不能在主体中使用它来匹配ARN的一部分。 For example, "AWS": [ "arn:aws:iam:account-id:user/*" ]
does not mean all IAM users in the specified account. 例如, "AWS": [ "arn:aws:iam:account-id:user/*" ]
并不意味着指定帐户中的所有IAM用户。
The best practice recommendation is not to use bucket policies when the desired action can be accomplished with user or role policies. 最佳实践建议是当可以通过用户或角色策略完成所需的操作时,不要使用存储桶策略。
You should be specific to the principal. 您应该特定于校长。 You can give multiple ARN's instead of '*'. 您可以给多个ARN而不是'*'。 You bucket policy generator to generate policy and specify which ARN you want in the principal. 您可以对策略生成器进行存储以生成策略,并在主体中指定所需的ARN。 It would be worth read below link, 值得阅读下面的链接,
http://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html http://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.