S3 存储桶策略允许任何人查看 - 但不能列出 - 存储桶中的所有文件?
[英]S3 bucket policy to allow anyone to view - but not list - all files in bucket?
问题描述
I guess an extremely common pattern for public S3 buckets is to allow anyone (ie the public) to view each file in a bucket if they got the URL for that object, but to not allow the public to list items in the bucket (ie they should not be able to generate a list of every item in the bucket).
我想公共 S3 存储桶的一个极其常见的模式是允许任何人(即公众)查看存储桶中的每个文件,如果他们获得 object 的 URL,但不允许公众列出存储桶中的项目(即他们不应该能够生成存储桶中每个项目的列表)。
This would probably be quite a common configuration for a lot of public websites which won't ever any assets that they have to hide from public view.对于许多公共网站来说,这可能是一种非常常见的配置,这些网站永远不会向公众展示他们必须隐藏的任何资产。
The first thing I did was went to S3 -> clicked on the bucket -> Permissions -> 'Block Public Access' -> Edit -> Uncheck all the boxes (thus allowing full public access to the items in the bucket).我做的第一件事是转到 S3 -> 单击存储桶 -> 权限 -> “阻止公共访问” -> 编辑 -> 取消选中所有框(从而允许完全公开访问存储桶中的项目)。
But when I use the browser to visit an image URL directly, it's still 'Access Denied', which I suspect is because I have yet to allow public access via a Policy .但是当我使用浏览器直接访问图像 URL 时,它仍然是“拒绝访问”,我怀疑这是因为我还没有通过Policy允许公共访问。
Question问题
What is the simplest policy to allow any member of the public to view (AKA 'read') any object in the S3 bucket 1 , but not to list (ie see a list of all the objects) in the bucket?允许任何公众成员查看(也称为“读取”)S3 存储桶1中的任何 object 但不允许在存储桶中列出(即查看所有对象的列表)的最简单策略是什么?
1 They'll need a URL to do so, unless they guess it. 1他们需要一个 URL 才能这样做,除非他们猜到了。
2 个解决方案
解决方案1
4 已采纳 2022-02-19 02:40:59
Yes you are correct you are still getting access denied because there is no policy.是的,你是对的,你仍然被拒绝访问,因为没有政策。
A simply policy to GET object would be. GET object 的简单策略是。 Docs for reference 文档供参考
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicReadGetObject",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::Bucket-Name/*"
]
}
]
}
Note : Here there is no usage of ListObject which does not give permission to user to list object in the bucket注意:这里没有使用ListObject ,它不允许用户在存储桶中列出 object
解决方案2
2 2022-02-19 02:43:20
In the AWS console visit: S3 -> click on your bucket -> Permissions -> Scroll down to 'Bucket policy' -> Click 'Edit'.在 AWS 控制台中访问:S3 -> 单击您的存储桶 -> 权限 -> 向下滚动到“存储桶策略” -> 单击“编辑”。
Note from S3 Policy Examples Docs : S3 策略示例文档中的注释:
Warning: Use caution when granting anonymous access to your Amazon S3 bucket or disabling block public access settings.
For static website hosting where any member of the public should be able to access any file in the S3 bucket (but not list the files), here is the policy:对于 static 网站托管,任何公众成员都应该能够访问 S3 存储桶中的任何文件(但不列出文件),政策如下:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicRead",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
]
}
]
}
Simply replace DOC-EXAMPLE-BUCKET with the name of your bucket.只需将DOC-EXAMPLE-BUCKET替换为您的存储桶名称即可。
Note: the public cannot 'list' the files in the bucket, since the "s3:ListBucket" Action is not included above.注意:公众无法“列出”存储桶中的文件,因为上面未包含"s3:ListBucket"操作。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.