检查 S3 Bucket 上每个文件的文件权限,递归
Check file permissions for each file on a S3 Bucket, recursive
我需要 Python 中的脚本来获取 s3 存储桶中每个文件的所有 ACL,以查看该存储桶中是否有 public 个私有文件。所有文件都是图片,市场部想知道哪些文件是私有的。
像这样
get_acl(object, bucket, ...)
但是对于该存储桶中的所有 10.000 个文件都是递归的。
使用 AWS CLI 我无法完成这项工作,知道在哪里可以找到一些示例吗?
谢谢
当存储桶中的对象为 public 时,您应该获得 200 代码,但如果它们是私有的,则代码将为 403.
所以您首先可以尝试获取存储桶中所有对象的列表:
aws2 s3api list-objects --bucket bucketnamehere
因此,在 python 中,您可以迭代对每个对象的请求,例如:
https://bucketname.s3.us-east-1.amazonaws.com/objectname
您可以使用 Unix 命令行 Curl 进行测试
curl -I https://bucketname.s3.us-east-1.amazonaws.com/objectname
如您所述,您需要列出存储桶中的所有对象,并检查它们的 ACL,或测试是否可以在不进行身份验证的情况下访问该对象。
如果要检查 ACL,可以 运行 依次遍历每个对象并检查:
BUCKET = "example-bucket"
import boto3
s3 = boto3.client('s3')
paginator = s3.get_paginator('list_objects_v2')
# List all of the objects
for page in paginator.paginate(Bucket=BUCKET):
for cur in page.get("Contents", []):
# Get the ACL for each object in turn
# Note: This example does not take into
# account any bucket-level permissions
acl = s3.get_object_acl(Bucket=BUCKET, Key=cur['Key'])
public_read = False
public_write = False
# Check each grant in the ACL
for grant in acl["Grants"]:
# See if the All Users group has been given a right, keep track of
# all possibilites in case there are multiple rules for some reason
if grant["Grantee"].get("URI", "") == "http://acs.amazonaws.com/groups/global/AllUsers":
if grant["Permission"] in {"READ", "FULL_CONTROL"}:
public_read = True
if grant["Permission"] in {"WRITE", "FULL_CONTROL"}:
public_read = True
# Write out the status for this object
if public_read and public_write:
status = "public_read_write"
elif public_read:
status = "public_read"
elif public_write:
status = "public_write"
else:
status = "private"
print(f"{cur['Key']},{status}")
我需要 Python 中的脚本来获取 s3 存储桶中每个文件的所有 ACL,以查看该存储桶中是否有 public 个私有文件。所有文件都是图片,市场部想知道哪些文件是私有的。
像这样
get_acl(object, bucket, ...)
但是对于该存储桶中的所有 10.000 个文件都是递归的。 使用 AWS CLI 我无法完成这项工作,知道在哪里可以找到一些示例吗?
谢谢
当存储桶中的对象为 public 时,您应该获得 200 代码,但如果它们是私有的,则代码将为 403.
所以您首先可以尝试获取存储桶中所有对象的列表:
aws2 s3api list-objects --bucket bucketnamehere
因此,在 python 中,您可以迭代对每个对象的请求,例如:
https://bucketname.s3.us-east-1.amazonaws.com/objectname
您可以使用 Unix 命令行 Curl 进行测试
curl -I https://bucketname.s3.us-east-1.amazonaws.com/objectname
如您所述,您需要列出存储桶中的所有对象,并检查它们的 ACL,或测试是否可以在不进行身份验证的情况下访问该对象。
如果要检查 ACL,可以 运行 依次遍历每个对象并检查:
BUCKET = "example-bucket"
import boto3
s3 = boto3.client('s3')
paginator = s3.get_paginator('list_objects_v2')
# List all of the objects
for page in paginator.paginate(Bucket=BUCKET):
for cur in page.get("Contents", []):
# Get the ACL for each object in turn
# Note: This example does not take into
# account any bucket-level permissions
acl = s3.get_object_acl(Bucket=BUCKET, Key=cur['Key'])
public_read = False
public_write = False
# Check each grant in the ACL
for grant in acl["Grants"]:
# See if the All Users group has been given a right, keep track of
# all possibilites in case there are multiple rules for some reason
if grant["Grantee"].get("URI", "") == "http://acs.amazonaws.com/groups/global/AllUsers":
if grant["Permission"] in {"READ", "FULL_CONTROL"}:
public_read = True
if grant["Permission"] in {"WRITE", "FULL_CONTROL"}:
public_read = True
# Write out the status for this object
if public_read and public_write:
status = "public_read_write"
elif public_read:
status = "public_read"
elif public_write:
status = "public_write"
else:
status = "private"
print(f"{cur['Key']},{status}")