![](/img/trans.png)
[英]Does s3 lifecycle rules overwrite Deny Delete Bucket or DeleteObject policy is s3 bucket?
[英]Deny DeleteObject with a specific tag value in S3 bucket
我偶然发现了以下问题:我无法创建存储桶策略,该策略拒绝使用具有特定标记值的对象删除对象。
通过尝试创建如下语句:
{
"Sid": "Stmt1234",
"Action": "s3:DeleteObject",
"Effect": "Deny",
"Resource": [
"arn:aws:s3:::foo/*",
"arn:aws:s3:::foo"
],
"Principal": "*",
"Condition": {
"StringLike": {
"s3:ExistingObjectTag/DoNotDelete": "true"
}
}
}
我收到此错误:
Conditions do not apply to combination of actions and resources in statement
但是,如果我将Action
更改为s3:DeleteObjectTagging
,则该策略将变为有效。 我想这是因为可以对特定操作使用哪些条件的限制: https : //docs.aws.amazon.com/AmazonS3/latest/dev/amazon-s3-policy-keys.html
有什么办法可以制定这样的政策?
如果您查看Amazon S3-AWS Identity and Access Management的操作,资源和条件键 ,您将看到:
DeleteObjectTagging
的条件键为s3:ExistingObjectTag/<key>
DeleteObject
没有与标签相关的条件键 您只能使用一个Condition
,其中的条件列出了该特殊操作的政策英寸
s3:ExistingObjectTag对s3:DeleteObject操作不可用。 我更喜欢您使用名为“ aws:TagKeys”的全局条件键,例如:
{
"Sid": "Stmt1234",
"Action": "s3:DeleteObject",
"Effect": "Deny",
"Resource": [
"arn:aws:s3:::foo/*",
"arn:aws:s3:::foo"
],
"Principal": "*",
"Condition": {
"StringLike": {
"aws:TagKeys": "DoNotDelete"
}
}
}
希望能帮助到你。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.