Amazon Web Services:设置S3策略以允许putObject和getObject但拒绝listBucket [英] Amazon Web Services : Setting S3 policy to allow putObject and getObject but deny listBucket

问题描述

我在Amazon S3上使用getObject和putObject请求，并在创建访问存储桶的策略时发现，如果我不允许listBucket，则会出现访问被拒绝"错误.

I am using getObject and putObject requests on Amazon S3 and in creating a policy for access to the bucket I discovered that if I don't allow listBucket I get an 'access denied' error.

此问题是listBucket意味着用户可以列出存储桶中的键，并显示 安全威胁.

The problem with this is that listBucket means a user can list the keys in a bucket and this presents a security threat.

是否可以在没有listBucket的情况下允许getObject和putObject? 或有解决方法吗?

Is it possible to allow getObject and putObject without allowing listBucket? or is there a workaround for this?

以下是政策:

 {
 "Version": "2012-10-17",
"Statement": [
{
  "Sid": "Stmt##",
  "Effect": "Allow",
  "Action": [
    "s3:ListBucket"
  ],
  "Resource": [
    "arn:aws:s3:::myBucket"
  ]
},
{
  "Sid": "Stmt##",
  "Effect": "Allow",
  "Action": [
    "s3:GetObject",
    "s3:PutObject"
  ],
  "Resource": [
    "arn:aws:s3:::myBucket/*"
  ]
}
 ]
}

推荐答案

来自

此操作需要s3:GetObject权限.有关更多信息，请转到Amazon Simple Storage Service开发人员指南中的在策略中指定权限.如果您请求的对象不存在，Amazon S3返回的错误取决于您是否还具有s3:ListBucket权限.

You need the s3:GetObject permission for this operation. For more information, go to Specifying Permissions in a Policy in the Amazon Simple Storage Service Developer Guide. If the object you request does not exist, the error Amazon S3 returns depends on whether you also have the s3:ListBucket permission.

我已通过编辑与您的政策基本相同的政策来确认此行为.

I've confirmed this behavior by editing a policy that was essentially identical to yours.

只要我具有s3:GetObject特权，我就能轻松获得现有对象，无论我是否具有s3:ListBucket特权.

I am able to get an existing object without trouble, whether or not I have the s3:ListBucket privilege, as long as I have the s3:GetObject privilege.

仅当我也没有s3:ListBucket特权并且我请求一个不存在的对象时，行为才会改变.在那种情况下，S3不会向我承认该对象是否存在-由于我无权查看此列表，因此我被拒绝访问有关该对象存在的知识.

The behavior changes only if I don't also have the s3:ListBucket privilege, and I request an object that does not exist. In that case, S3 will not admit to me whether that object exists -- I'm denied access to knowledge about the existence of the object, since I'm not authorized to see the list.

对不存在的对象(无 s3:ListBucket:

<Error>
 <Code>AccessDenied</Code>
 <Message>Access Denied</Message>
 <RequestId>xxxx</RequestId>
 <HostId>xxxx</HostId>
</Error>

对同一个不存在的对象 with s3:ListBucket:

Response for a valid request for the same nonexistent object, with s3:ListBucket:

<Error>
 <Code>NoSuchKey</Code>
 <Message>The specified key does not exist.</Message>
 <Key>fakefile.txt</Key>
 <RequestId>xxxx</RequestId>
 <HostId>xxxx</HostId>
</Error>

因此，在实际上不存在的对象上，访问被拒绝"是没有s3:ListBucket的预期响应.否则，它将按预期工作.

So, on objects that don't actually exist, "access denied" is the expected response without s3:ListBucket. Otherwise, it works as expected.

这篇关于Amazon Web Services:设置S3策略以允许putObject和getObject但拒绝listBucket的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！