AWS S3存储桶策略显式拒绝

时间:2021-06-22 10:47:39

I'm trying to restrict my bucket to deny everything, but allow uploads from one specific IAM user and get objects based on referer header. Here is my policy:

我试图限制我的存储桶拒绝所有内容,但允许从一个特定的IAM用户上传并根据引用标头获取对象。这是我的政策:

{
    "Version": "2012-10-17",
    "Id": "Meteor refer policy",
    "Statement": [
        {
            "Sid": "allow upload",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::556754141176:user/username"
            },
            "Action": "s3:PutObject*",
            "Resource": [
                "arn:aws:s3:::bucketname",
                "arn:aws:s3:::bucketname/*"
            ]
        },
        {
            "Sid": "Allow get",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "bucketname/*",
            "Condition": {
                "StringLike": {
                    "aws:Referer": [
                        "http://myapp.com*",
                        "http://localhost*"
                    ]
                }
            }
        },
        {
            "Sid": "Explicit deny",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": "bucketname/*",
            "Condition": {
                "StringNotLike": {
                    "aws:Referer": [
                        "http://myapp.com*",
                        "http://localhost*"
                    ]
                }
            }
        }
    ]
}

This policy correctly enforces the GetObject directive to only the referer header, but I'm not able to upload anything with that user like I stated. If I take out the explicit deny, I can access the object from anywhere and the referer doesn't matter. What is wrong with my policy? Also, I can't access anything in the bucket from the console. What do I need to do for that?

此策略正确地将GetObject指令强制执行到referer标头,但我无法像我所说的那样使用该用户上传任何内容。如果我取出显式拒绝,我可以从任何地方访问该对象,并且引用无关紧要。我的保单有什么问题?此外,我无法从控制台访问存储桶中的任何内容。我需要做些什么呢?

Thanks,

谢谢,

1 个解决方案

#1


2  

By default, all content in an Amazon S3 bucket is private. So, just add access to users that should be permitted.

默认情况下,Amazon S3存储桶中的所有内容都是私有的。因此,只需添加对应该允许的用户的访问权限。

Also, merely granting PutObject will only allow that API call and will not permit access via the AWS Management Console, which requires permissions like ListAllMyBuckets. So, make sure the uploading user either has the necessary permissions, or only uses the API calls that it are permitted.

此外,仅授予PutObject将仅允许该API调用,并且不允许通过AWS管理控制台进行访问,这需要像ListAllMyBuckets这样的权限。因此,请确保上传用户具有必要的权限,或仅使用允许的API调用。

Therefore:

因此:

  • Remove the Deny policy -- it is not required
  • 删除拒绝策略 - 不是必需的
  • In the GetObject policy, you should also remove "Resource": "bucketname/*", because that is explicit in the fact that the Bucket Policy applies to the bucket to which it is attached
  • 在GetObject策略中,您还应该删除“资源”:“bucketname / *”,因为这是明确的,因为Bucket Policy适用于它所附加的存储桶
  • Have the uploading user use the AWS Command-Line Interface (CLI) or a web page to upload, that only requires PutObject OR grant additional permissions to be able to use the AWS Management Console for Amazon S3 (shown below)
  • 让上传用户使用AWS命令行界面(CLI)或网页上传,只需要PutObject或授予其他权限即可使用适用于Amazon S3的AWS管理控制台(如下所示)

Here is a set of permissions that would grant upload access within the Amazon S3 management console (with thanks to Is there an S3 policy for limiting access to only see/access one bucket?):

以下是一组权限,可以在Amazon S3管理控制台中授予上载访问权限(感谢是否有用于限制访问的S3策略,只能查看/访问一个存储桶?):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1",
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketLocation",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::bucketname"
            ]
        },
        {
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "*"
        }
    ]
}

#1


2  

By default, all content in an Amazon S3 bucket is private. So, just add access to users that should be permitted.

默认情况下,Amazon S3存储桶中的所有内容都是私有的。因此,只需添加对应该允许的用户的访问权限。

Also, merely granting PutObject will only allow that API call and will not permit access via the AWS Management Console, which requires permissions like ListAllMyBuckets. So, make sure the uploading user either has the necessary permissions, or only uses the API calls that it are permitted.

此外,仅授予PutObject将仅允许该API调用,并且不允许通过AWS管理控制台进行访问,这需要像ListAllMyBuckets这样的权限。因此,请确保上传用户具有必要的权限,或仅使用允许的API调用。

Therefore:

因此:

  • Remove the Deny policy -- it is not required
  • 删除拒绝策略 - 不是必需的
  • In the GetObject policy, you should also remove "Resource": "bucketname/*", because that is explicit in the fact that the Bucket Policy applies to the bucket to which it is attached
  • 在GetObject策略中,您还应该删除“资源”:“bucketname / *”,因为这是明确的,因为Bucket Policy适用于它所附加的存储桶
  • Have the uploading user use the AWS Command-Line Interface (CLI) or a web page to upload, that only requires PutObject OR grant additional permissions to be able to use the AWS Management Console for Amazon S3 (shown below)
  • 让上传用户使用AWS命令行界面(CLI)或网页上传,只需要PutObject或授予其他权限即可使用适用于Amazon S3的AWS管理控制台(如下所示)

Here is a set of permissions that would grant upload access within the Amazon S3 management console (with thanks to Is there an S3 policy for limiting access to only see/access one bucket?):

以下是一组权限,可以在Amazon S3管理控制台中授予上载访问权限(感谢是否有用于限制访问的S3策略,只能查看/访问一个存储桶?):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1",
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketLocation",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::bucketname"
            ]
        },
        {
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "*"
        }
    ]
}