Can we allow getObject with bucket policy using "Effect": "Deny" and condition

0

My policy role is below JSON format code

{ "Version": "2008-10-17", "Statement": [ { "Sid": "AllowPublicRead", "Effect": "Deny", "Principal": { "AWS": "" }, "Action": [ "s3:GetObject", "s3:PutObject", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::ABC_123", "arn:aws:s3:::ABC_123/" ], "Condition": { "StringNotLike": { "aws:Referer": [ "http://www.training.sedarspine.com/", "http://training.sedarspine.com/", "https://www.training.sedarspine.com/", "https://training.sedarspine.com/", "https://sedarspine.com/", "https://www.sedarspine.com/", "https://burtlan.sedarspine.com/", "https://www.burtlan.sedarspine.com/", "https://sedarglobal.com/", "https://www.sedarglobal.com/", "https://live.sedarglobal.com/", "https://www.live.sedarglobal.com/", "http://live.sedarglobal.com/", "http://www.live.sedarglobal.com/", "https://test.sedarglobal.com/", "https://www.test.sedarglobal.com/", "http://localspine.com/", "https://localspine.com/", "http://www.localspine.com/", "https://login.burtlan.com/", "https://sc.sedarglobal.com/", "http://sc.sedarglobal.com/", "https://spinebusiness.com/", "http://spinebusiness.com/", "http://localburtlan.com/", "http://pre.sedarglobal.com/", "https://pre.sedarglobal.com/", "https://localspine.test/", "http://132.1.0.105:3000/", "http://dxb.sedarspine.com/", "https://dxb.sedarspine.com/", "https://sedaruae.homeip.net/", "http://localhost:3000/" ] } } }, { "Sid": "AllowPublicRead-1", "Effect": "Allow", "Principal": "", "Action": [ "s3:GetObject", "s3:PutObject", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::ABC_123", "arn:aws:s3:::ABC_123/*" ] } ] }

demandé il y a 2 ans248 vues
1 réponse
1

The question could use some clarification with the description given. However, the policy posted policy will "DENY" a "blank" Principal to preform the "Action" ("s3:GetObject","s3:PutObject","s3:ListBucket") if the referrer is not apart of the list. When the principal becomes specified it should be okay for IAM purposes, especially if it goes from "blank" to "*".

referrer documentation

AWS
JClapp
répondu il y a 9 mois

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions