我在“AWS账户1”中创建了一个名为(apple-bucket)的存储桶,并且可以访问另一个“AWS账户2”以将文件上传到apple-bucket。
从“aws account 2”到帐户1存储桶成功上传文件。
当我从S3(apple-bucket)下载文件时,我在控制台中被拒绝访问。
我的存储桶政策是
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Access",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::******:role/role-name",
"arn:aws:iam::******:root"
]
},
"Action": [
"s3:ListBucket",
"s3:PutObject",
"s3:ListBucketVersions",
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::apple-bucket/*",
"arn:aws:s3:::apple-bucket"
]
},
{
"Sid": "Access1",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:ListBucket",
"s3:ListBucketVersions",
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::apple-bucket/*",
"arn:aws:s3:::apple-bucket"
]
}
]
}
注意:从命令行我可以使用“QA AWS凭证”下载文件,但不能使用“PROD AWS”凭据下载文件。
答案 0 :(得分:0)
正如Michael和John讨论的那样(在评论中),您可以通过复制现有对象来更正S3对象ACL,或者通过确保在上传时正确设置ACL来避免下载问题。
最近,我不得不在相当大的程度上解决这个问题(数百万个没有适当ACL的对象)。在承担了所有这些对象的就地复制的时间和费用之后,我制定了存储桶策略以确保需要所有上传到存储桶的对象都必须授予bucket owner full control。
此示例政策显示了如何允许特定的AWS账户在需要适当的对象ACL的同时将对象上传到您的存储桶:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowSourceAccount0123456789ToPutObjects",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::0123456789:root"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::apple-bucket/*"
},
{
"Sid": "RequireAllUploadedObjectsToAssignFullControlToBucketOwner",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::apple-bucket/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
]
}
密钥是显式拒绝,它会检查x-amz-acl: bucket-owner-full-control标头,并在未设置标头的任何上载操作失败。使用AWS CLI上传文件时,这需要设置-acl bucket-owner-full-control 标志。
示例:
aws s3 cp example-file.txt s3://apple-bucket/example-file.txt --profile aws-profile-name --acl bucket-owner-full-control