![](/img/trans.png)
[英]Does s3 lifecycle rules overwrite Deny Delete Bucket or DeleteObject policy is s3 bucket?
[英]Deny DeleteObject with a specific tag value in S3 bucket
我偶然發現了以下問題:我無法創建存儲桶策略,該策略拒絕使用具有特定標記值的對象刪除對象。
通過嘗試創建如下語句:
{
"Sid": "Stmt1234",
"Action": "s3:DeleteObject",
"Effect": "Deny",
"Resource": [
"arn:aws:s3:::foo/*",
"arn:aws:s3:::foo"
],
"Principal": "*",
"Condition": {
"StringLike": {
"s3:ExistingObjectTag/DoNotDelete": "true"
}
}
}
我收到此錯誤:
Conditions do not apply to combination of actions and resources in statement
但是,如果我將Action
更改為s3:DeleteObjectTagging
,則該策略將變為有效。 我想這是因為可以對特定操作使用哪些條件的限制: https : //docs.aws.amazon.com/AmazonS3/latest/dev/amazon-s3-policy-keys.html
有什么辦法可以制定這樣的政策?
如果您查看Amazon S3-AWS Identity and Access Management的操作,資源和條件鍵 ,您將看到:
DeleteObjectTagging
的條件鍵為s3:ExistingObjectTag/<key>
DeleteObject
沒有與標簽相關的條件鍵 您只能使用一個Condition
,其中的條件列出了該特殊操作的政策英寸
s3:ExistingObjectTag對s3:DeleteObject操作不可用。 我更喜歡您使用名為“ aws:TagKeys”的全局條件鍵,例如:
{
"Sid": "Stmt1234",
"Action": "s3:DeleteObject",
"Effect": "Deny",
"Resource": [
"arn:aws:s3:::foo/*",
"arn:aws:s3:::foo"
],
"Principal": "*",
"Condition": {
"StringLike": {
"aws:TagKeys": "DoNotDelete"
}
}
}
希望能幫助到你。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.