Question

我正在构建一个允许Everyone上传到我的S3存储桶的应用，但出于安全考虑，我需要禁用从存储桶中删除的功能。由于upload/delete权限在AWS设置中捆绑在一起，我如何允许一个并阻止另一个？

解决方案：

删除访问策略并添加存储桶策略：

{
"Version": "2008-10-17",
"Statement": [
    {
        "Sid": "AllowPublicRead",
        "Effect": "Allow",
        "Principal": {
            "AWS": "*"
        },
        "Action": "s3:GetObject",
        "Resource": "arn:aws:s3:::bucket_name/*"
    },
    {
        "Effect": "Allow",
        "Principal": {
            "AWS": "*"
        },
        "Action": "s3:PutObject",
        "Resource": "arn:aws:s3:::<bucket_name>/*"
    }
]

}

Answer 1

阅读本文关于ACL和IAM政策之间的区别：

https://blogs.aws.amazon.com/security/post/TxPOJBY6FE360K/IAM-policies-and-Bucket-Policies-and-ACLs-Oh-My-Controlling-Access-to-S3-Resourc

您希望创建与此类似的IAM策略，而不是使用ACL：

{
  "Statement": [
    {
      "Action": [
        "s3:PutObject"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::<bucket>/<optional_key>",
      "Principal": {
        "AWS": ["*"]
      }
    }
  ]
}

AWS S3在允许上传时阻止删除

1 个答案: