S3存储桶策略:在公共存储桶中,将子文件夹设为私有

时间:2013-12-06 20:20:31

标签: amazon-web-services amazon-s3

我有一个装满内容的桶,需要大部分公开。但是,有一个文件夹(又名"前缀")只能由经过身份验证的IAM用户访问。

{
  "Statement": [
    {
      "Sid": "AllowIAMUser",
      "Action": [
        "s3:GetObject"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::bucket/prefix1/prefix2/private/*",
      "Principal": {
        "AWS": [
          "arn:aws:iam::123456789012:user/bobbydroptables"
        ]
      }
    },
    {
      "Sid": "AllowAccessToAllExceptPrivate",
      "Action": [
        "s3:GetObject",
        "s3:GetObjectVersion"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::bucket/*",
      "Condition": {
        "StringNotLike": {
          "s3:prefix": "prefix1/prefix2/private/"
        }
      },
      "Principal": {
        "AWS": [
          "*"
        ]
      }
    }
  ]
}

当我尝试保存此策略时,我从AWS收到以下错误消息:

Conditions do not apply to combination of actions and resources in statement -
  Condition "s3:prefix"
  and action "s3:GetObject"
  in statement "AllowAccessToAllExceptPrivate"

显然,此错误特别适用于第二个语句。是不是可以使用" s3:前缀"条件与" s3:GetObject"动作?

是否可以获取公共存储桶的一部分并使其仅对经过身份验证的用户可访问?

如果重要,只能通过api以只读方式访问此存储桶。

这个问题类似于Amazon S3 bucket policy for public restrictions only,除了我试图通过采用不同的方法解决问题。

1 个答案:

答案 0 :(得分:20)

在对AWS文档进行大量挖掘以及在策略编辑器中进行了许多反复试验之后,我认为我找到了一个合适的解决方案。

显然,AWS提供了一个名为NotResource的选项(当前未在策略生成器中找到)。

The NotResource element lets you grant or deny access to all but a few
of your resources, by allowing you to specify only those resources to
which your policy should not be applied.

有了这个,我甚至不需要玩弄条件。这意味着以下语句将在存储桶策略中起作用:

{
  "Sid": "AllowAccessToAllExceptPrivate",
  "Action": [
    "s3:GetObject",
    "s3:GetObjectVersion"
  ],
  "Effect": "Allow",
  "NotResource": [
    "arn:aws:s3:::bucket/prefix1/prefix2/private/*",
    "arn:aws:s3:::bucket/prefix1/prefix2/private"
  ],
  "Principal": {
    "AWS": [
      "*"
    ]
  }
}