[英]AWS S3 Bucket policy Access Denyed
S3 is secure by default, and always has been -- the user has always needed to take deliberate, purposeful steps in order to "accidentally" make their bucket content public... yet users still make configuration errors on occasion and expose their buckets. S3默认情况下是安全的,而且一直以来都是-用户始终需要采取有目的的有步骤的步骤,以“意外地”公开其存储桶内容……但是用户有时仍会犯配置错误并暴露其存储桶。
AWS implemented two levels of anti-footgun protection, designed to make these mistakes more difficult -- there are bucket-level and acccount level settings to prevent public access to buckets, both of which need to "allow" you to do this. AWS实施了两个级别的反脚步枪保护,旨在使这些错误更加棘手-有存储桶级和帐户级别设置以防止公共访问存储桶, 这两者都需要“允许”您执行此操作。 If either policy prevents you from making the bucket public, you'll get
Access Denied
when trying to create or change a bucket policy if the system categorizes your new policy as even slightly "public." 如果任一策略都禁止您公开存储桶,则在系统创建或更改存储桶策略时,如果系统将您的新策略归类为“公开”,则会被
Access Denied
。
Before you proceed and turn off the safety, note that the system is trying to protect you from yourself. 在继续操作并关闭安全性之前,请注意系统正在尝试保护您免受自身伤害。 There is essentially never a valid reason to allow
*
to write to or delete from your bucket. 基本上没有绝对的理由允许
*
向您的存储桶写入或删除存储桶。 "Principal": "*"
means any user, including unauthenticated/anonymous users. "Principal": "*"
表示任何用户,包括未经身份验证/匿名的用户。
Find "Public access settings for this account" in the left-side navigation pane of the S3 console for the global settings. 在S3控制台的左侧导航窗格中找到“此帐户的公共访问设置”以获取全局设置。
https://aws.amazon.com/blogs/aws/amazon-s3-block-public-access-another-layer-of-protection-for-your-accounts-and-buckets/ https://aws.amazon.com/blogs/aws/amazon-s3-block-public-access-another-layer-of-protection-for-your-accounts-and-buckets/
Seems look like the user account you're trying do this, doesn't have permission to change this particular bucket. 似乎您正在尝试执行此操作的用户帐户没有权限更改此特定存储桶。 Please check your account permission on IAM or on account panel.
请在IAM或帐户面板上检查您的帐户权限。
To view a bucket policy, your IAM user or role must have permission to the s3:GetBucketPolicy
action. 要查看存储桶策略,您的IAM用户或角色必须具有
s3:GetBucketPolicy
操作的权限。 To edit an existing bucket policy, your IAM user or role must have permission to the s3:PutBucketPolicy
action. 要编辑现有存储桶策略,您的IAM用户或角色必须具有
s3:PutBucketPolicy
操作的权限。
Also, make sure that there are no Deny
statements in your IAM policy that override the bucket policy permissions. 另外,请确保您的IAM策略中没有
Deny
桶策略权限的Deny
语句。
By the way, I notice that your proposed S3 bucket policy allows anyone to delete objects. 顺便说一句,我注意到您建议的S3存储桶策略允许任何人删除对象。 I'm not sure if that was your intention but it's typically not advisable to do this.
我不确定这是否是您的意图,但通常不建议这样做。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.