简体繁体 English

AWS S3存储桶策略访问被拒绝

[英]AWS S3 Bucket policy Access Denyed

原文 2019-03-03 15:07:42 5 3 amazon-web-services/ amazon-s3

Trying to set bucket policy for S3 bucket but get an error Access denied: 尝试为S3存储桶设置存储桶策略，但收到错误访问拒绝：

All options in Public access setting are set to false: 公共访问设置中的所有选项都设置为false：

So, the question is what do I need to set bucket policy? 因此，问题是我需要设置存储桶策略吗？

3 个解决方案

S3 is secure by default, and always has been -- the user has always needed to take deliberate, purposeful steps in order to "accidentally" make their bucket content public... yet users still make configuration errors on occasion and expose their buckets. S3默认情况下是安全的，而且一直以来都是-用户始终需要采取有目的的有步骤的步骤，以“意外地”公开其存储桶内容……但是用户有时仍会犯配置错误并暴露其存储桶。

AWS implemented two levels of anti-footgun protection, designed to make these mistakes more difficult -- there are bucket-level and acccount level settings to prevent public access to buckets, both of which need to "allow" you to do this. AWS实施了两个级别的反脚步枪保护，旨在使这些错误更加棘手-有存储桶级和帐户级别设置以防止公共访问存储桶， 这两者都需要“允许”您执行此操作。 If either policy prevents you from making the bucket public, you'll get Access Denied when trying to create or change a bucket policy if the system categorizes your new policy as even slightly "public." 如果任一策略都禁止您公开存储桶，则在系统创建或更改存储桶策略时，如果系统将您的新策略归类为“公开”，则会被Access Denied 。

Before you proceed and turn off the safety, note that the system is trying to protect you from yourself. 在继续操作并关闭安全性之前，请注意系统正在尝试保护您免受自身伤害。 There is essentially never a valid reason to allow * to write to or delete from your bucket. 基本上没有绝对的理由允许*向您的存储桶写入或删除存储桶。 "Principal": "*" means any user, including unauthenticated/anonymous users. "Principal": "*"表示任何用户，包括未经身份验证/匿名的用户。

Find "Public access settings for this account" in the left-side navigation pane of the S3 console for the global settings. 在S3控制台的左侧导航窗格中找到“此帐户的公共访问设置”以获取全局设置。

https://aws.amazon.com/blogs/aws/amazon-s3-block-public-access-another-layer-of-protection-for-your-accounts-and-buckets/ https://aws.amazon.com/blogs/aws/amazon-s3-block-public-access-another-layer-of-protection-for-your-accounts-and-buckets/

Seems look like the user account you're trying do this, doesn't have permission to change this particular bucket. 似乎您正在尝试执行此操作的用户帐户没有权限更改此特定存储桶。 Please check your account permission on IAM or on account panel. 请在IAM或帐户面板上检查您的帐户权限。

To view a bucket policy, your IAM user or role must have permission to the s3:GetBucketPolicy action. 要查看存储桶策略，您的IAM用户或角色必须具有s3:GetBucketPolicy操作的权限。 To edit an existing bucket policy, your IAM user or role must have permission to the s3:PutBucketPolicy action. 要编辑现有存储桶策略，您的IAM用户或角色必须具有s3:PutBucketPolicy操作的权限。

Also, make sure that there are no Deny statements in your IAM policy that override the bucket policy permissions. 另外，请确保您的IAM策略中没有Deny桶策略权限的Deny语句。

By the way, I notice that your proposed S3 bucket policy allows anyone to delete objects. 顺便说一句，我注意到您建议的S3存储桶策略允许任何人删除对象。 I'm not sure if that was your intention but it's typically not advisable to do this. 我不确定这是否是您的意图，但通常不建议这样做。