I've a bucket with GetObject available to everyone on full bucket(*). I want to make a few objects private(through Object level operation ACL), i.e. only the bucket owner should have read access to the object. I've gone through all available documentation, but couldn't find any possible way. Can anyone confirm is this possible or not?
我有一个带有GetObject的存储桶可供所有人使用满桶(*)。我想将一些对象设为私有(通过对象级操作ACL),即只有存储桶拥有者应具有对该对象的读访问权。我已经浏览了所有可用的文档,但找不到任何可能的方法。任何人都可以确认这是否可能?
1 个解决方案
#1
1
You cannot use S3 Object ACLs because ACLs do not have a DENY.
您不能使用S3对象ACL,因为ACL没有DENY。
You can modify your S3 policy to specify objects and deny access to individual items.
您可以修改S3策略以指定对象并拒绝对单个项目的访问。
Example S3 Policy (notice that this policy forbids access to everyone for GetObject for two files):
示例S3策略(请注意,此策略禁止对两个文件的GetObject访问每个人):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicReadGetObject",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::mybucket/*"
},
{
"Sid": "DenyPublicReadGetObject",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::mybucket/block_this_file",
"arn:aws:s3:::mybucket/block_this_file_too"
]
}
]
}
If you want to add a condition so that certain users can still access the objects, add a condition after the Resource section like this. This condition will allow IAM users john.wayne and bob.hope to still call GetObject.
如果要添加条件以便某些用户仍可以访问对象,请在“资源”部分之后添加条件。这种情况将允许IAM用户john.wayne和bob.hope仍然调用GetObject。
"Resource": [
"arn:aws:s3:::mybucket/block_this_file",
"arn:aws:s3:::mybucket/block_this_file_too"
],
"Condition": {
"StringNotEquals": {
"aws:username": [
"john.wayne",
"bob.hope"
]
}
}
#1
1
You cannot use S3 Object ACLs because ACLs do not have a DENY.
您不能使用S3对象ACL,因为ACL没有DENY。
You can modify your S3 policy to specify objects and deny access to individual items.
您可以修改S3策略以指定对象并拒绝对单个项目的访问。
Example S3 Policy (notice that this policy forbids access to everyone for GetObject for two files):
示例S3策略(请注意,此策略禁止对两个文件的GetObject访问每个人):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicReadGetObject",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::mybucket/*"
},
{
"Sid": "DenyPublicReadGetObject",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::mybucket/block_this_file",
"arn:aws:s3:::mybucket/block_this_file_too"
]
}
]
}
If you want to add a condition so that certain users can still access the objects, add a condition after the Resource section like this. This condition will allow IAM users john.wayne and bob.hope to still call GetObject.
如果要添加条件以便某些用户仍可以访问对象,请在“资源”部分之后添加条件。这种情况将允许IAM用户john.wayne和bob.hope仍然调用GetObject。
"Resource": [
"arn:aws:s3:::mybucket/block_this_file",
"arn:aws:s3:::mybucket/block_this_file_too"
],
"Condition": {
"StringNotEquals": {
"aws:username": [
"john.wayne",
"bob.hope"
]
}
}