如何设置Amazon S3的桶政策，私下大家除了管理？ [英] How to set amazon S3 bucket policy to private to everyone except admin?

问题描述

我有一个水桶在那里我已经无意中上传的数以千计的文件与ACL到：public_read 我想所有的文件是除了与所生成的访问URL不可用。

我试图创建一个水桶政策，拒绝所有的每一个人，让我的全部。

它不工作，所有的文件都与生成的访问URL甚至禁止：

  

<一个href="http://s3.amazonaws.com/myBucket/myFile.pdf?AWSAccessKeyId=AKIAIZB2XTOJ6KYB5SCA&Expires=1331137308&Signature=zRfPOj4XFBrXhyqDZ5DpwJqsWs0%3D" rel="nofollow">http://s3.amazonaws.com/myBucket/myFile.pdf?AWSAccessKeyId=AKIAIZB2XTOJ6KYB5SCA&Expires=1331137308&Signature=zRfPOj4XFBrXhyqDZ5DpwJqsWs0%3D

  {
    版本：2008-10-17，
    ID：Policy1331136935471
    声明： [
        {
            锡德：Stmt1331136294179
            效果：拒绝，
            主要： {
                AWS：*
            }，
            行动：S3：GetObject的，
            资源：ARN：AWS：S3 ::: myBucket / *
        }，
        {
            锡德：Stmt1331136364169
            效果：允许，
            主要： {
                AWS：ARN：AWS：IAM :: 6527 ... 3775：根
            }，
            行动：S3：*，
            资源：ARN：AWS：S3 ::: myBucket / *
        }
    ]
}
 

更新：
我发现引用默认拒绝的文档，但在AWS策略生成只有2个值允许和拒绝没有任何人有语法默认拒绝？

感谢您的帮助

解决方案

好了，所以，据我了解，如果我只设置允许我那么就应该否认其他人默认。

我试图设置桶政策，但我的档案还在下载：从URL只是删除访问密钥ID，如：的 http://s3.amazonaws.com/myBucket/myFile.pdf

我的文件ACL仍设置为：公共看了这么看来，我实在斗的政策和单独的文件ACL

之间的冲突

我放弃了让所有私人文件通过斗的政策，如果有人曾经需要做私募内部S3存储大量的文件，这里是rake任务我终于写道：

 递减请在S3​​中私人所有对象
  任务：make_private =＆GT; ：环境做
    要求AWS / S3

    bucket_name ='yourBucket
    标记=

    AWS :: S3 :: Base.establish_connection！（
      ：access_key_id =＆GT; yourKey
      ：secret_access_key =＆GT; yourSecret
    ）

    #create只读由我政策
    owner_grant = ACL :: Grant.new
    专营= ACL :: Grantee.new
    owner_grant.grantee =专营公司
    owner_grant.permission =读
    grantee.type =CanonicalUser
    grantee.id ='yourID
    grantee.display_name =YOURNAME


    ＃遍历内斗中的所有文件和政策适用于每个文件
    环办
      对象= Bucket.objects（bucket_name，：标记=＆GT;标记：max_keys =＆GT; 1000）

      标记= objects.last.key
      提出新的标记是\＃{标记} \

      objects.each做| OBJ |
          政策= S3Object.acl（obj.key，bucket_name）
          policy.grants = [owner_grant]
          S3Object.acl（obj.key，bucket_name，政策）
      结束
    结束
  结束
 

PS：对于信息我试图改变使用Firefox S3管理器或桶浏览器中的所有文件ACL，他们没有工作，如果你有几百上千个文件，他们只是冻结

I've got a bucket where i've accidently uploaded thousands of files with ACL to :public_read I would like all files to be unavailable except with a generated access URL.

I tried to create a bucket policy with deny all to everyone, and allow all to me.

It doesnt work and all files are forbidden even with a generated access URL :

http://s3.amazonaws.com/myBucket/myFile.pdf?AWSAccessKeyId=AKIAIZB2XTOJ6KYB5SCA&Expires=1331137308&Signature=zRfPOj4XFBrXhyqDZ5DpwJqsWs0%3D

{
    "Version": "2008-10-17",
    "Id": "Policy1331136935471",
    "Statement": [
        {
            "Sid": "Stmt1331136294179",
            "Effect": "Deny",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::myBucket/*"
        },
        {
            "Sid": "Stmt1331136364169",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::6527...3775:root"
            },
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::myBucket/*"
        }
    ]
}

UPDATE :
i found reference to the default deny in the doc but the AWS Policy Generator has only 2 values "Allow" and "Deny" does anyone has the syntax for default deny ?

Thanks for your help

解决方案

Ok, so as far as i understand if i only set allow to me then it should be deny to everyone else by default.

I tried to set that bucket policy but my files are still downloadable : just remove the access key id from the URL, like : http://s3.amazonaws.com/myBucket/myFile.pdf

My files ACL are still set as :public-Read so it seems that indeed i have a conflict between bucket policy and individual files ACL

I gave up making all files private through bucket policy, if anybody ever needs to make a large number of files private inside a S3 bucket, here is the rake task i finally wrote :

  desc "Make all objects in S3 private"
  task :make_private  => :environment do
    require 'aws/s3'

    bucket_name = 'yourBucket'
    marker = ""

    AWS::S3::Base.establish_connection!(
      :access_key_id => "yourKey",
      :secret_access_key => "yourSecret"
    )

    #create the read-only by me policy
    owner_grant = ACL::Grant.new
    grantee = ACL::Grantee.new
    owner_grant.grantee = grantee
    owner_grant.permission = 'READ'
    grantee.type = "CanonicalUser"
    grantee.id = 'yourID'
    grantee.display_name = "yourName"


    # Iterate over all files inside bucket and apply the policy to each files
    loop do
      objects = Bucket.objects(bucket_name, :marker=>marker, :max_keys=>1000)

      marker = objects.last.key
      puts "new marker is \"#{marker}\""

      objects.each do |obj|
          policy = S3Object.acl(obj.key, bucket_name)
          policy.grants = [owner_grant]
          S3Object.acl(obj.key, bucket_name, policy)
      end
    end
  end

P.S: For info i have tried to change all files ACL using Firefox S3 Organizer or bucket explorer, none of them works if you have several hundreds of thousands of files, they just freeze.

这篇关于如何设置Amazon S3的桶政策，私下大家除了管理？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！