1
  1. 如何允许读取除单个文件夹及其内容之外的所有对象?下面的规则阻止了我整个桶..(无法读取桶)

  2. 如果无法使用此功能,我如何允许读取根目录下的文件但拒绝所有子文件夹?

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ListBucket",
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::my-bucket"
        },
        {
            "Sid": "ReadOnly",
            "Effect": "Allow",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::my-bucket/*"
        },
        {
            "Sid": "DenyOneFolder",
            "Effect": "Deny",
            "Action": "s3:GetObject",
            "Resource": [
                "arn:aws:s3:::my-bucket/my-folder",
                "arn:aws:s3:::my-bucket/my-folder/*"
            ]
        }
    ]
}

我的桶结构:

  • 我的桶
    • 我的文件夹
      • 对象3
    • 对象1
    • 对象2
4

2 回答 2

1

Deny您可以在存储桶策略中为与前缀匹配的列表对象添加显式my-folder

编辑:仅当列表存储桶请求包含前缀时,此策略才有效。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ListBucket",
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::my-bucket"
        },
        {
            "Sid": "ReadOnly",
            "Effect": "Allow",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::my-bucket/*"
        },
        {
            "Sid": "DenyOneFolderRead",
            "Effect": "Deny",
            "Action": "s3:GetObject",
            "Resource": [
                "arn:aws:s3:::my-bucket/my-folder/*"
            ]
        },
        {
            "Sid": "DenyOneFolderList",
            "Effect": "Deny",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::my-bucket",
            "Condition" : {
                "StringEquals" : {
                    "s3:prefix": "my-folder" 
                }
            } 
        }
    ]
}
于 2020-04-07T16:07:40.373 回答
0

该策略正常工作,但我会删除拒绝,arn:aws:s3:::my-bucket/my-folder因为它没有用。

我认为这里的困惑在于您希望此策略阻止 IAM 用户列出和/或获取s3://my-bucket/my-folder/. 它不会那样做,特别是列表部分,事实上你不能那样做。您无法控制用户在细粒度级别(例如,低于特定前缀)列出存储桶的能力。

该策略将成功阻止用户获取(如下载)s3://my-bucket/my-folder/.

于 2020-04-07T15:23:00.150 回答