S3:如果由其他用户创建,则用户无法访问自己的s3存储桶中的对象

时间:2021-07-14 23:06:28

An external user has access to our s3 bucket, using these actions in our bucket policy:

外部用户可以使用我们的存储桶策略中的以下操作访问我们的s3存储桶:

"Action": [
            "s3:GetObjectAcl",
            "s3:GetObject",
            "s3:PutObjectAcl",
            "s3:ListMultipartUploadParts",
            "s3:PutObject"
        ]

That user generated temporary credentials, which were then used to upload a file into our bucket.

该用户生成了临时凭证,然后用于将文件上传到我们的存储桶中。

Now, I cannot access the file. In the s3 UI, if I attempt to download the file, I get a 403. If I attempt to change the permissions on that object, I see the message : "Sorry! You do not have permissions to view this bucket." If the external user sets the appropriate header (x-amz-acl bucket-owner-full-control) when uploading the file with the temporary credentials, I can access the file normally. It seems strange to me that even though I own the bucket, it is possible for the external user to put files into it that I am unable to access.

现在,我无法访问该文件。在s3用户界面中,如果我尝试下载文件,我会得到403.如果我尝试更改该对象的权限,我会看到消息:“抱歉!您无权查看该存储桶。”如果外部用户在使用临时凭证上载文件时设置了相应的标头(x-amz-acl bucket-owner-full-control),我可以正常访问该文件。我觉得很奇怪,即使我拥有该存储桶,外部用户也可以将文件放入我无法访问的文件中。

Is it possible that there is some policy I can set so I can access the file, or so that I am able to access any file that is added to my bucket, regardless of how it is added? Thanks!

是否有可能我可以设置一些策略以便我可以访问该文件,或者我可以访问添加到我的存储桶的任何文件,无论它是如何添加的?谢谢!

2 个解决方案

#1


19  

I believe you have to get the object owner to update the ACL or re-write the object specifying bucket owner full control. The simplest way to experiment with this is using the CLI:

我相信您必须让对象所有者更新ACL或重新编写指定存储桶拥有者完全控制的对象。最简单的实验方法是使用CLI:

aws s3api put-object-acl --acl bucket-owner-full-control --bucket some-bucket --key path/to/unreadable.txt

Yeah, I think you have to do that once for each object, I don't think there is a recursive option.

是的,我认为你必须为每个对象做一次,我不认为有一个递归选项。

AWS publishes an example bucket policy to prevent adding objects to the bucket without giving the bucket owner full control. But that will not address ownership of the objects already in your bucket.

AWS发布示例存储桶策略,以防止向存储桶添加对象,而不会让存储桶拥有者完全控制。但这不会解决您桶中已有对象的所有权问题。

I don't know of any policy that will automagically transfer ownership to the bucket owner.

我不知道任何将所有权自动转移到存储桶拥有者的策略。

#2


12  

you can actually use a copy and recursive option to copy all objects back to the bucket and set the acl bucket-owner-full-control by using the following syntax:

您实际上可以使用复制和递归选项将所有对象复制回存储桶并使用以下语法设置acl bucket-owner-full-control:

aws s3 cp s3://myBucket s3://myBucket --recursive --acl bucket-owner-full-control --storage-class STANDARD

#1


19  

I believe you have to get the object owner to update the ACL or re-write the object specifying bucket owner full control. The simplest way to experiment with this is using the CLI:

我相信您必须让对象所有者更新ACL或重新编写指定存储桶拥有者完全控制的对象。最简单的实验方法是使用CLI:

aws s3api put-object-acl --acl bucket-owner-full-control --bucket some-bucket --key path/to/unreadable.txt

Yeah, I think you have to do that once for each object, I don't think there is a recursive option.

是的,我认为你必须为每个对象做一次,我不认为有一个递归选项。

AWS publishes an example bucket policy to prevent adding objects to the bucket without giving the bucket owner full control. But that will not address ownership of the objects already in your bucket.

AWS发布示例存储桶策略,以防止向存储桶添加对象,而不会让存储桶拥有者完全控制。但这不会解决您桶中已有对象的所有权问题。

I don't know of any policy that will automagically transfer ownership to the bucket owner.

我不知道任何将所有权自动转移到存储桶拥有者的策略。

#2


12  

you can actually use a copy and recursive option to copy all objects back to the bucket and set the acl bucket-owner-full-control by using the following syntax:

您实际上可以使用复制和递归选项将所有对象复制回存储桶并使用以下语法设置acl bucket-owner-full-control:

aws s3 cp s3://myBucket s3://myBucket --recursive --acl bucket-owner-full-control --storage-class STANDARD