拒绝S3:DeleteBucket和S3:DeleteObject的存储桶策略仍会删除对象 [英] Bucket policy denying S3:DeleteBucket and S3:DeleteObject still deletes objects

问题描述

我已将以下存储桶策略应用于 my-bucket.myapp.com S3存储桶:

I've applied the following bucket policy to a my-bucket.myapp.com S3 bucket:

{
    "Version": "2008-10-17",
    "Id": "PreventAccidentalDeletePolicy",
    "Statement": [
        {
            "Sid": "PreventAccidentalDelete",
            "Effect": "Deny",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "s3:DeleteBucket",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::my-bucket.myapp.com",
                "arn:aws:s3:::my-bucket.myapp.com/*"
            ]
        }
    ]
}

然后在控制台中，当我尝试删除存储桶(右键单击，删除)时，出现了我期望的错误:访问被拒绝.

Then in the console, when I attempt to delete the bucket (right-click, Delete) I get the error I'm expecting: Access Denied.

但是，麻烦的是，它仍然会删除存储在 存储桶中的所有对象

BUT, and here's the rub, the problem is that it still deletes all the objects that are in the bucket

为什么会这样?

它甚至发生在带有版本控制的存储桶中.它只会擦除所有版本，并且对象已消失.

And it even happens with a versioned bucket. It just wipes all the versions and the objects are GONE.

推荐答案

建议的最佳实践是，除了创建初始IAM用户之外，不要使用root帐户，以便您可以添加限制来防止此类事件.如果某人有一个用例，需要以编程方式需要此行为，则他们不希望在系统中设置限制作为安全防护".用户应遵循最佳实践并实施适用于其情况的必要防护措施

Recommended best practice is to not use the root account aside from creating your initial IAM user so you can add restrictions to prevent such an incident. In the event someone has a use-case that needs this behavior programmatically they don't want to put limits in the system as "safe guards". It's up to the user to follow best practice and implement the necessary safeguards as applicable to their situation

亚马逊授权对s3对象进行操作的确切过程: http://docs.aws.amazon.com/AmazonS3/latest/dev/how-s3-evaluates-access-control.html

The exact process for how amazon authorizes actions on s3 objects: http://docs.aws.amazon.com/AmazonS3/latest/dev/how-s3-evaluates-access-control.html

本文档的第2 | A节描述了在用户上下文中应用于根帐户的行为:如果使用AWS账户的根凭证发出请求，则Amazon S3跳过此步骤."

Section 2|A on this document describes behavior applied to root account in user context: " If the request is made using root credentials of an AWS account, Amazon S3 skips this step."

这篇关于拒绝S3:DeleteBucket和S3:DeleteObject的存储桶策略仍会删除对象的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！