[英]Deny DeleteObject with a specific tag value in S3 bucket
我偶然發現了以下問題:我無法創建存儲桶策略,該策略拒絕使用具有特定標記值的對象刪除對象。
通過嘗試創建如下語句:
{
"Sid": "Stmt1234",
"Action": "s3:DeleteObject",
"Effect": "Deny",
"Resource": [
"arn:aws:s3:::foo/*",
"arn:aws:s3:::foo"
],
"Principal": "*",
"Condition": {
"StringLike": {
"s3:ExistingObjectTag/DoNotDelete": "true"
}
}
}
我收到此錯誤:
Conditions do not apply to combination of actions and resources in statement
但是,如果我將Action更改為s3:DeleteObjectTagging ,則該策略將變為有效。 我想這是因為可以對特定操作使用哪些條件的限制: https : //docs.aws.amazon.com/AmazonS3/latest/dev/amazon-s3-policy-keys.html
有什么辦法可以制定這樣的政策?
如果您查看Amazon S3-AWS Identity and Access Management的操作,資源和條件鍵 ,您將看到:
DeleteObjectTagging的條件鍵為s3:ExistingObjectTag/<key> DeleteObject沒有與標簽相關的條件鍵 您只能使用一個Condition ,其中的條件列出了該特殊操作的政策英寸
s3:ExistingObjectTag對s3:DeleteObject操作不可用。 我更喜歡您使用名為“ aws:TagKeys”的全局條件鍵,例如:
{
"Sid": "Stmt1234",
"Action": "s3:DeleteObject",
"Effect": "Deny",
"Resource": [
"arn:aws:s3:::foo/*",
"arn:aws:s3:::foo"
],
"Principal": "*",
"Condition": {
"StringLike": {
"aws:TagKeys": "DoNotDelete"
}
}
}
希望能幫助到你。
s3 生命周期規則是否覆蓋拒絕刪除存儲桶或 DeleteObject 策略是 s3 存儲桶?
[英]Does s3 lifecycle rules overwrite Deny Delete Bucket or DeleteObject policy is s3 bucket?
存儲桶策略拒絕S3:DeleteBucket和S3:DeleteObject仍然刪除對象
[英]Bucket policy denying S3:DeleteBucket and S3:DeleteObject still deletes objects
使用 StringNotLike 條件為特定操作添加例外到 s3 存儲桶拒絕策略的優雅方式
[英]Elegant way to add exceptions to s3 bucket deny policy using StringNotLike condition for specific actions
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.