如何拒绝任何资源未加密的上传到 S3 存储桶?
How to deny unencrypted uploads to an S3 bucket by any resource?
我想阻止未加密的所有资源上传到 S3 存储桶。我正在尝试使用 S3 策略来执行此操作,如下所示:
PolicyS3BucketPolicy:
Type: AWS::S3::BucketPolicy
DependsOn: PolicyS3Bucket
Properties:
Bucket: !Ref PolicyS3Bucket
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Deny
Sid: DenyUnEncryptedObjectUploads
Action: "s3:PutObject"
Resource: "*"
Principal:
AWS: "*"
Condition:
StringNotEquals:
"s3:x-amz-server-side-encryption": "aws:kms"
为简洁起见,省略了PolicyS3Bucket资源定义。
当我尝试部署我的服务时,出现此错误:
PolicyS3BucketPolicy - Policy has invalid resource (Service: Amazon S3; Status Code: 400; Error Code: MalformedPolicy; Request ID: 5E5PR65Y1JY805Q0; S3 Extended Request ID: hxBAxt2qqqkgMRlF9JS5J0LFJ0EPxHU3mhIjYZ/x1kp+WT5FdlHSKEpY97x0gT2ZE0KXKMqzyKo=; Proxy: null).
如何设置 Resource 值,以便此策略拒绝所有资源?
我认为问题在于您的 S3 存储桶策略表明:
Resource: "*"
它的范围应该是实际的桶,例如:
Resource: "arn:aws:s3:::mybucket/*"
或者如果您使用的是无服务器框架,则类似于以下内容:
Resource: arn:aws:s3:::${self:custom.config.myBucketName}/*
我想阻止未加密的所有资源上传到 S3 存储桶。我正在尝试使用 S3 策略来执行此操作,如下所示:
PolicyS3BucketPolicy:
Type: AWS::S3::BucketPolicy
DependsOn: PolicyS3Bucket
Properties:
Bucket: !Ref PolicyS3Bucket
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Deny
Sid: DenyUnEncryptedObjectUploads
Action: "s3:PutObject"
Resource: "*"
Principal:
AWS: "*"
Condition:
StringNotEquals:
"s3:x-amz-server-side-encryption": "aws:kms"
为简洁起见,省略了PolicyS3Bucket资源定义。
当我尝试部署我的服务时,出现此错误:
PolicyS3BucketPolicy - Policy has invalid resource (Service: Amazon S3; Status Code: 400; Error Code: MalformedPolicy; Request ID: 5E5PR65Y1JY805Q0; S3 Extended Request ID: hxBAxt2qqqkgMRlF9JS5J0LFJ0EPxHU3mhIjYZ/x1kp+WT5FdlHSKEpY97x0gT2ZE0KXKMqzyKo=; Proxy: null).
如何设置 Resource 值,以便此策略拒绝所有资源?
我认为问题在于您的 S3 存储桶策略表明:
Resource: "*"
它的范围应该是实际的桶,例如:
Resource: "arn:aws:s3:::mybucket/*"
或者如果您使用的是无服务器框架,则类似于以下内容:
Resource: arn:aws:s3:::${self:custom.config.myBucketName}/*