堆栈内存溢出
  简体   繁体   English

AWS S3存储桶策略-仅在前缀内允许GetObject

[英]AWS S3 Bucket Policy - Allow GetObject only within a prefix

 原文  2017-12-07 01:55:18       amazon-web-services/ amazon-s3/ bucket

问题描述

I'm trying to put a policy on my bucket to allow public 'GetObject' access on my objects, but only those within a certain prefix. 我正在尝试在存储桶上放置一条策略,以允许对对象的公共“ GetObject”访问,但仅允许在特定前缀内的对象访问。 Like this: 像这样: 

    {
        "Effect": "Allow",
        "Principal": "*",
        "Action": "s3:GetObject",
        "Resource": "arn:aws:s3:::mybucket/publicstuff/*"
    }

The problem is, AWS warns me that this makes the entire bucket public. 问题是,AWS警告我,这会使整个存储桶公开。 And sure enough, it does; 可以肯定的是, if I try to GET an object from /mybucket/anywhereelse/, S3 serves it up freely. 如果我尝试从/ mybucket / anywhereelse /获取对象,则S3免费提供它。 So everything after 'mybucket' is ignored. 因此,“ mybucket”之后的所有内容都将被忽略。

Is there any way to build a bucket policy applicable to a specific prefix within the bucket? 有什么方法可以构建适用于存储桶中特定前缀的存储桶策略? I tried a policy condition, but found the s3:prefix cannot be used when using the s3:GetObject action. 我尝试了一个策略条件,但发现在使用s3:GetObject操作时无法使用s3:prefix。

2 个解决方案

解决方案1
 0  2017-12-07 04:01:40

That is totally fine, although you see an indication, showing that your bucket is publicly accessible. 尽管您看到指示,表明您的存储桶是可公开访问的,这完全没问题。 You should notice that this indicator shows that the public access to (some contents of) this bucket is provided. 您应该注意,该指示器表明提供了对该存储桶(其中的某些内容)的公共访问。
So to check that there is no problem you can just test a file outside the publicly accessible folder and compare that with a file which should be publicly accessible due to your policy. 因此,要检查是否没有问题,您可以只测试可公开访问的文件夹之外的文件,然后将其与根据您的政策应可公开访问的文件进行比较。
You can see in the following picture that I have made a sub-folder of my bucket (toignore), accessible to the public: 您可以在下图中看到我创建了一个存储桶的子文件夹(忽略),可供公众使用:

在此处输入图片说明

This is the tree-view of the bucket: 这是存储桶的树状视图:

├── directory ├──目录
│ ├── toignore │├──忽略
│ │ └── i.txt ││└──i.txt
└── ni.txt └──ni.txt

Based on my policy, i.txt is publicly accessible but ni.txt is not, and the indicator shows the public access. 根据我的政策,i.txt可公开访问,但ni.txt不可访问,并且指示器显示公共访问权限。

解决方案2
 0  2017-12-09 00:45:23

Thanks @michael and @mok, I've found the answer: I'm a moron. 感谢@michael和@mok,我找到了答案:我是个白痴。 The other objects that I used to verify the standard behavior happen to have individual permissions on them to allow getObject, and I didn't remember putting them there or notice them being there. 我用来验证标准行为的其他对象碰巧具有对它们的单独权限,以允许getObject,而且我不记得将它们放在那里或没有注意到它们在那儿。 When I removed these permissions, It appeared I could still access these objects, but I was actually picking up cached copies. 当我删除这些权限时,看来我仍然可以访问这些对象,但实际上是在拾取缓存的副本。 When removing these spurious permissions, and using a completely different browser, I verified that my originally posted policy was correct. 在删除这些虚假权限并使用完全不同的浏览器时,我验证了我最初发布的策略是正确的。 Sorry for the trouble. 抱歉,添麻烦了。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 仅允许小写文件的 AWS S3 存储桶策略 - AWS S3 Bucket Policy to allow only lowercase files AWS S3 存储桶策略:基于账户 ID 前缀的权限 - AWS S3 bucket policy: permissions based on account id prefix AWS S3存储桶策略,允许从我的实例进行只读访问 - AWS S3 Bucket Policy to allow read-only access from my instances AWS IAM策略:如何更改AWSLambdaFullAccess策略以仅允许访问一个S3存储桶? - AWS IAM Policies: How do I alter the AWSLambdaFullAccess policy to only allow access to one S3 bucket? AWS S3存储桶策略-仅允许文件夹中的某些文件类型 - AWS S3 Bucket Policy - Only Allow Certain File Types In Folder AWS S3允许Cognito用户访问存储桶前缀 - aws s3 allow access to bucket prefix for cognito user 在 AWS S3 存储桶上设置 IAM 策略(允许更改 ACL) - Setting IAM Policy on AWS S3 Bucket (allow change ACL) 允许访问 Cognito 用户的 AWS S3 存储桶策略 - AWS S3 bucket policy to allow access to Cognito users 有没有办法在 AWS S3 中允许 GetObjectAttributes 但不允许 GetObject? - Is there a way to allow GetObjectAttributes but not GetObject in AWS S3? AWS S3存储桶策略 - AWS S3 bucket policy
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM