[英]Deny DeleteObject with a specific tag value in S3 bucket
我偶然发现了以下问题:我无法创建存储桶策略,该策略拒绝使用具有特定标记值的对象删除对象。
通过尝试创建如下语句:
{
"Sid": "Stmt1234",
"Action": "s3:DeleteObject",
"Effect": "Deny",
"Resource": [
"arn:aws:s3:::foo/*",
"arn:aws:s3:::foo"
],
"Principal": "*",
"Condition": {
"StringLike": {
"s3:ExistingObjectTag/DoNotDelete": "true"
}
}
}
我收到此错误:
Conditions do not apply to combination of actions and resources in statement
但是,如果我将Action更改为s3:DeleteObjectTagging ,则该策略将变为有效。 我想这是因为可以对特定操作使用哪些条件的限制: https : //docs.aws.amazon.com/AmazonS3/latest/dev/amazon-s3-policy-keys.html
有什么办法可以制定这样的政策?
如果您查看Amazon S3-AWS Identity and Access Management的操作,资源和条件键 ,您将看到:
DeleteObjectTagging的条件键为s3:ExistingObjectTag/<key> DeleteObject没有与标签相关的条件键 您只能使用一个Condition ,其中的条件列出了该特殊操作的政策英寸
s3:ExistingObjectTag对s3:DeleteObject操作不可用。 我更喜欢您使用名为“ aws:TagKeys”的全局条件键,例如:
{
"Sid": "Stmt1234",
"Action": "s3:DeleteObject",
"Effect": "Deny",
"Resource": [
"arn:aws:s3:::foo/*",
"arn:aws:s3:::foo"
],
"Principal": "*",
"Condition": {
"StringLike": {
"aws:TagKeys": "DoNotDelete"
}
}
}
希望能帮助到你。
s3 生命周期规则是否覆盖拒绝删除存储桶或 DeleteObject 策略是 s3 存储桶?
[英]Does s3 lifecycle rules overwrite Deny Delete Bucket or DeleteObject policy is s3 bucket?
存储桶策略拒绝S3:DeleteBucket和S3:DeleteObject仍然删除对象
[英]Bucket policy denying S3:DeleteBucket and S3:DeleteObject still deletes objects
使用 StringNotLike 条件为特定操作添加例外到 s3 存储桶拒绝策略的优雅方式
[英]Elegant way to add exceptions to s3 bucket deny policy using StringNotLike condition for specific actions
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.