如何删除“删除” Amazon S3 上的权限
在 Amazon S3 控制台中,我只看到“上传/删除”的权限选项。有没有办法允许上传但不允许删除?
In the Amazon S3 console I only see a permission option for "upload/delete". Is there a way to allow uploading but not deleting?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
您直接在 AWS 管理控制台 中看到的权限基于初始且相对简单的 可用于 S3 的访问控制列表 (ACL),本质上是区分读取和写入权限,请参阅指定权限:
桶策略(应用于存储桶级别)和 IAM策略(应用于用户级别的权限),并且所有三个也可以一起使用(这可能会变得相当复杂,如下所述),请参阅整个图片的访问控制。
您的用例可能需要相应的存储桶策略,您也可以直接从 S3 控制台添加该策略。单击添加存储桶策略将打开存储桶策略编辑器,其中包含指向几个示例以及强烈推荐的AWS 策略生成器,它允许您组合针对您的使用案例的策略。
对于其他锁定的存储桶,最简单的形式可能如下所示(请确保根据您的需求调整主体和资源):
根据您的用例,您可以轻松通过组合各种允许和拒绝操作等来制定相当复杂的策略 - 这显然也会产生无意的权限,因此正确的测试像往常一样是关键;因此,请注意使用同时使用 ACL 和存储桶策略时的影响 或 IAM 和存储桶策略一起。
最后,您可能还想看看我对在简单的 AWS 用户策略中指定单个存储桶的问题的回答,它解决了另一个常见的策略陷阱。
The permissions you are seeing in the AWS Management Console directly are based on the initial and comparatively simple Access Control Lists (ACL) available for S3, which essentially differentiated READ and WRITE permissions, see Specifying a Permission:
These limitations have been addressed by adding Bucket Policies (permissions applied on the bucket level) and IAM Policies (permissions applied on the user level), and all three can be used together as well (which can become rather complex, as addressed below), see Access Control for the entire picture.
Your use case probably asks for a respective bucket policy, which you an add directly from the S3 console as well. Clicking on Add bucket policy opens the Bucket Policy Editor, which features links to a couple of samples as well as the highly recommended AWS Policy Generator, which allows you to assemble a policy addressing your use case.
For an otherwise locked down bucket, the simplest form might look like so (please ensure to adjust Principal and Resource to your needs):
Depending on your use case, you can easily compose pretty complex policies by combining various Allow and Deny actions etc. - this can obviously yield inadvertent permissions as well, thus proper testing is key as usual; accordingly, please take care of the implications when using Using ACLs and Bucket Policies Together or IAM and Bucket Policies Together.
Finally, you might want to have a look at my answer to Problems specifying a single bucket in a simple AWS user policy as well, which addresses another commonly encountered pitfall with policies.
您可以将禁止删除策略附加到您的 s3 存储桶。例如,如果您不希望该 IAM 用户对任何存储桶或任何对象执行任何删除操作,您可以设置如下内容:
此外,您可以使用策略模拟器检查您的策略 https://policysim.aws.amazon.com 检查您的设置是否符合您的预期。
希望这有帮助!
You can attach no-delete policy to your s3 bucket. For example if you don't want this IAM user to perform any delete operation to any buckets or any objects, you can set something like this:
Also, you can check your policy with policy simulator https://policysim.aws.amazon.com to check if your set up is what you expected or not.
Hope this helps!
这很完美。感谢 Pung Worathiti Manosroi。结合他提到的政策如下:
This worked perfect . Thanks to Pung Worathiti Manosroi . combined his mentioned policy as per below:
是的,
s3:DeleteObject是一个选项:http://docs.aws.amazon.com/AmazonS3/latest/dev/using-with-s3-actions.html
但是,更改现有对象之间没有区别(这会导致允许有效删除它)并创建一个新对象。
Yes,
s3:DeleteObjectis an option:http://docs.aws.amazon.com/AmazonS3/latest/dev/using-with-s3-actions.html
However, there is no differentiation between changing an existing object (which would allow effectively deleting it) and creating a new object.