公开限制亚马逊S3斗政策只 [英] Amazon S3 bucket policy for public restrictions only
问题描述
我想限制公众获得我们存储在S3中的一些对象,但显示出按键的同一层的其他对象。例如,假设我要让 bucketname / *
公开可读。但要prevent访问 bucketname / * /隐藏/ *
对于不是EX在IAM pressly获准进入<任何用户/强>。
I'd like to restrict public access to some objects we have stored in S3, but show other objects in the same hierarchy of keys. For example, assume I want to make bucketname/*
publicly readable. But want to prevent access to bucketname/*/hidden/*
for any users that are not expressly given access in IAM.
我可以做到这一点就像一只水桶策略:
I can do that with a bucket policy like:
{
"Id": "Policy123",
"Statement": [
{
"Sid": "Stmt123",
"Action": [ "s3:GetObject" ],
"Effect": "Allow",
"Resource": "arn:aws:s3:::bucketname/*",
"Principal": {
"AWS": [ "*" ]
}
},
{
"Sid": "Stmt124",
"Action": [ "s3:GetObject" ],
"Effect": "Deny",
"Resource": "arn:aws:s3:::bucketname/*/hidden/*",
"Principal": {
"AWS": [ "*" ]
}
]
}
但是,prevents我已经访问隐藏的对象授予任何IAM用户/组。是否有在只匹配未经验证的访问的第二条语句的主要的设置?或者更好的是,有没有办法仅列出的校长的应该不会受政策声明?
But that prevents any IAM users/groups I have granted from accessing the hidden objects. Is there a setting for Principal in the second statement that only matches unauthenticated access? Or better yet, is there a way to list only those Principals that should NOT be affected by a policy statement?
推荐答案
据AWS的支持,这是目前不可能的。任何拒绝
政策覆盖匹配(或子集)允许
政策,也没有办法拒绝匿名访问而已。
According to AWS support, this is currently not possible. Any Deny
policy overrides a matching (or subset) Allow
policy and there is no way to deny anonymous access only.
有一个类似的效果可以通过指定用于匹配的所有对象的私人ACL来实现bucketname / * /隐藏/ *
,但就是不够灵活,必须手动应用
A similar effect can be achieved by specifying a private ACL for all objects matching bucketname/*/hidden/*
, but that is not as flexible and must be applied manually.
这篇关于公开限制亚马逊S3斗政策只的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!