在S3存储桶中拒绝具有特定标签值的DeleteObject

时间:2019-07-03 08:11:39

标签: amazon-web-services amazon-s3

我偶然发现了以下问题:我无法创建存储桶策略来拒绝删除具有特定标签值的对象的对象。

通过尝试创建如下语句:

{
    "Sid": "Stmt1234",
    "Action": "s3:DeleteObject",
    "Effect": "Deny",
    "Resource": [
         "arn:aws:s3:::foo/*",
         "arn:aws:s3:::foo"
     ],
     "Principal": "*",
     "Condition": {
        "StringLike": {
            "s3:ExistingObjectTag/DoNotDelete": "true"
         }
     }
}

我收到此错误:

Conditions do not apply to combination of actions and resources in statement

但是,如果我将Action更改为s3:DeleteObjectTagging,则该策略生效。我想这是因为可以对特定操作使用哪些条件的限制:https://docs.aws.amazon.com/AmazonS3/latest/dev/amazon-s3-policy-keys.html

有什么办法可以创建这样的政策?

2 个答案:

答案 0 :(得分:1)

如果您查看Actions, Resources, and Condition Keys for Amazon S3 - AWS Identity and Access Management,将会看到:

  • DeleteObjectTagging的条件键为s3:ExistingObjectTag/<key>
  • DeleteObject没有与标签相关的条件键

您只能在列出该特定操作的条件的策略中使用Condition

答案 1 :(得分:0)

s3:ExistingObjectTag对s3:DeleteObject操作不可用。我更喜欢您使用名为“ aws:TagKeys”的全局条件键,例如:

{
    "Sid": "Stmt1234",
    "Action": "s3:DeleteObject",
    "Effect": "Deny",
    "Resource": [
         "arn:aws:s3:::foo/*",
         "arn:aws:s3:::foo"
     ],
     "Principal": "*",
     "Condition": {
        "StringLike": {
            "aws:TagKeys": "DoNotDelete"
         }
     }
}

希望,它会有所帮助。

相关问题
最新问题