AWS S3 允许读取除特定文件夹以外的所有对象
AWS S3 Allows reading of all objects except a specific folder
如何允许读取除单个文件夹及其内容之外的所有对象?
下面的规则阻止了我整个桶..(无法读取桶)
如果无法使用此功能,我如何允许读取根目录下的文件但拒绝读取所有子文件夹?
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListBucket",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::my-bucket"
},
{
"Sid": "ReadOnly",
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/*"
},
{
"Sid": "DenyOneFolder",
"Effect": "Deny",
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::my-bucket/my-folder",
"arn:aws:s3:::my-bucket/my-folder/*"
]
}
]
}
我的桶结构:
- 我的桶
- 我的文件夹
- 对象 3
- 对象 1
- 对象2
虽然我会删除 arn:aws:s3:::my-bucket/my-folder 上的拒绝,但该政策可以正常工作,因为它没有用。
我认为这里的混淆是您期望此策略阻止 IAM 用户列表 and/or 获取 s3://my-bucket/my-folder/ 下的对象。它不会那样做,特别是列表部分,事实上你不能那样做。您无法控制用户在粒度级别(例如在特定前缀下方)列出存储桶的能力。
该策略将成功阻止用户在 s3://my-bucket/my-folder/.
下获取(如下载)对象
您可以在存储桶策略中添加显式 Deny 以列出与前缀 my-folder 匹配的对象。
编辑:仅当列表桶请求包含前缀时,此策略才有效。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListBucket",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::my-bucket"
},
{
"Sid": "ReadOnly",
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/*"
},
{
"Sid": "DenyOneFolderRead",
"Effect": "Deny",
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::my-bucket/my-folder/*"
]
},
{
"Sid": "DenyOneFolderList",
"Effect": "Deny",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::my-bucket",
"Condition" : {
"StringEquals" : {
"s3:prefix": "my-folder"
}
}
}
]
}
如何允许读取除单个文件夹及其内容之外的所有对象? 下面的规则阻止了我整个桶..(无法读取桶)
如果无法使用此功能,我如何允许读取根目录下的文件但拒绝读取所有子文件夹?
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListBucket",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::my-bucket"
},
{
"Sid": "ReadOnly",
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/*"
},
{
"Sid": "DenyOneFolder",
"Effect": "Deny",
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::my-bucket/my-folder",
"arn:aws:s3:::my-bucket/my-folder/*"
]
}
]
}
我的桶结构:
- 我的桶
- 我的文件夹
- 对象 3
- 对象 1
- 对象2
- 我的文件夹
虽然我会删除 arn:aws:s3:::my-bucket/my-folder 上的拒绝,但该政策可以正常工作,因为它没有用。
我认为这里的混淆是您期望此策略阻止 IAM 用户列表 and/or 获取 s3://my-bucket/my-folder/ 下的对象。它不会那样做,特别是列表部分,事实上你不能那样做。您无法控制用户在粒度级别(例如在特定前缀下方)列出存储桶的能力。
该策略将成功阻止用户在 s3://my-bucket/my-folder/.
您可以在存储桶策略中添加显式 Deny 以列出与前缀 my-folder 匹配的对象。
编辑:仅当列表桶请求包含前缀时,此策略才有效。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListBucket",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::my-bucket"
},
{
"Sid": "ReadOnly",
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/*"
},
{
"Sid": "DenyOneFolderRead",
"Effect": "Deny",
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::my-bucket/my-folder/*"
]
},
{
"Sid": "DenyOneFolderList",
"Effect": "Deny",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::my-bucket",
"Condition" : {
"StringEquals" : {
"s3:prefix": "my-folder"
}
}
}
]
}