我正在尝试配置S3存储桶,以便仅特定用户而不是公众可以访问它。
我创建了一个名为s3-injury-log的用户以及以下存储桶策略
{
"Id": "Policy1542998309644",
"Version": "2012-10-17",
"Statement": [{
"Sid": "Stmt1542998308012",
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::injury-log",
"Principal": {
"AWS": ["arn:aws:iam::058842494618:user/s3-injury-log"]
}
}]
}
我的“阻止所有公共访问”标签如下
Block all public access - Off
Block public access to buckets and objects granted through new access control lists (ACLs) - On
Block public access to buckets and objects granted through any access control lists (ACLs) - On
Block public access to buckets and objects granted through new public bucket policies - Off
Block public and cross-account access to buckets and objects through any public bucket policies - Off
但是当尝试将对象放入存储桶中(使用aws java库)时,出现以下错误消息
Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: CC71A7EFAFC9BBDB; S3 Extended Request ID: klrwopIIJK3PsJzEw
任何提示我在做什么错吗?
答案 0 :(得分:0)
您的策略似乎不正确,仅允许执行存储桶级操作。因此,PutObject操作被拒绝,这是对象级别的。
只需更新您的策略以允许对象级操作:
{
"Id": "Policy1542998309644",
"Version": "2012-10-17",
"Statement": [{
"Sid": "Stmt1542998308012",
"Action": "s3:*",
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::injury-log",
"arn:aws:s3:::injury-log/*"
]
"Principal": {
"AWS": ["arn:aws:iam::058842494618:user/s3-injury-log"]
}
}]
}