AWS S3 ACL公共读写:安全问题 [英] AWS S3 ACL public-read-write: security concern

问题描述

我想从文档:

所有者获得FULL_CONTROL. AllUsers组获得读取和写入 使用权.通常不建议在存储桶上授予此权限.

Owner gets FULL_CONTROL. The AllUsers group gets READ and WRITE access. Granting this on a bucket is generally not recommended.

[...]

所有用户"组–代表 http://acs.amazonaws.com/groups/global/AllUsers .的访问权限 该组允许任何人访问资源.请求可以是 已签名(已认证)或未签名(匿名).未签名的请求被忽略 请求中的身份验证标头.

All Users group – Represented by http://acs.amazonaws.com/groups/global/AllUsers. Access permission to this group allows anyone to access the resource. The requests can be signed (authenticated) or unsigned (anonymous). Unsigned requests omit the Authentication header in the request.

但这意味着每个aws帐户都可以读取/写入我的文件吗?还是只有我的IAM用户可以读/写我的文件?

but this mean that every aws account can be read/write my files? or only my IAM user can read/write my files?

推荐答案

查看此文档:

Amazon S3预定义组

Amazon S3 Predefined Groups

Amazon S3具有一组预定义的组.授予帐户访问权限时 到一个组中，请指定我们的URI之一，而不是指定规范的用户 ID.我们提供以下预定义的组:

Amazon S3 has a set of predefined groups. When granting account access to a group, you specify one of our URIs instead of a canonical user ID. We provide the following predefined groups:

授权用户"组–代表 http://acs.amazonaws.com/groups/global/AuthenticatedUsers .这个小组 代表所有AWS账户.该组的访问权限允许 任何访问资源的AWS账户.但是，所有请求都必须 签名(已认证).

Authenticated Users group – Represented by http://acs.amazonaws.com/groups/global/AuthenticatedUsers. This group represents all AWS accounts. Access permission to this group allows any AWS account to access the resource. However, all requests must be signed (authenticated).

所有用户"组–代表 http://acs.amazonaws.com/groups/global/AllUsers .的访问权限 该组允许任何人访问资源.请求可以是 已签名(已认证)或未签名(匿名).未签名的请求被忽略 请求中的Authentication标头.

All Users group – Represented by http://acs.amazonaws.com/groups/global/AllUsers. Access permission to this group allows anyone to access the resource. The requests can be signed (authenticated) or unsigned (anonymous). Unsigned requests omit the Authentication header in the request.

日志传送组– 由 http://acs.amazonaws.com/groups/s3/LogDelivery 表示.写 存储桶上的权限使该组可以写入服务器访问日志 (请参阅服务器访问日志记录)到存储桶.

Log Delivery group – Represented by http://acs.amazonaws.com/groups/s3/LogDelivery. WRITE permission on a bucket enables this group to write server access logs (see Server Access Logging) to the bucket.

使用ACL，您仅可以与其他AWS账户共享S3存储桶.没有登录AWS帐户的人将无法访问您的存储桶.

With ACL, you just can share your S3 bucket with other AWS Accounts. Who without logged in AWS account, they cannot access your bucket.

如果您希望AWS账户和非AWS账户都可以访问您的S3存储桶，则必须定义S3存储桶策略. 例如:

If you want both AWS Account and non-AWS Account can access you S3 bucket, you must define S3 Bucket Policy. For example:

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "AllowPublicRead",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::S3-Bucket-name/*"
        }
    ]
}

这篇关于AWS S3 ACL公共读写:安全问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！