- 最新
- 投票最多
- 评论最多
Hello
How are you logged in going to S3? and how are you accessing test2 when you get access denied?
if you are logged in AWS and clicking on the URL for test2 and you get an access denied it is because the file is not public. The url for test2 does not have a way to authenticate/authorize who you are, it is just a url. If you click on the download file, it should work because it has the security token associate it with it.
hope this helps
RT
Hello
A few things:
-
When you create a bucket policy, the individual files will inherit the policy.
-
the current policy is not "explicitly denying" any access, so if people have IAM (user, group, role) permissions to access the objects in that bucket, they will get those objects.
-
if you want to make sure that only few people can access objects in that bucket, you will have to create a policy that includes a DENY for NotPrincipal which means deny for everyone except this user
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notprincipal.html -
and if you want to deny access to all objects except for one, you could add also a DENY wtih a not resource which means deny for all objects except this one
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notresource.html
these two links may come handy too
IAM policy simulator to test your policies
https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_testing-policies.html
become a policy ninja
https://www.slideshare.net/AmazonWebServices/become-an-iam-policy-ninja
hope this helps
RT
Thanks, I am trying to logically go through this in my head, as if this was linux I would just say hey chmod 600 *, then allow read to that one file and be done.
So logically I am trying to say;
User: me (allow all)
everyone else deny all except file.html which should be allowed read by world.
According to the NotPrincipal with Allow it states "We strongly recommend that you do not use NotPrincipal in the same policy statement as "Effect": "Allow"." So, what is the best method to say deny all unless it's this file AND allow all to this user (even in laymen's terms).
Thanks
Here is the most basic issue that I am using to try to get that understood, I have a test bucket, 2 text files and here is what I have;
{
"Version": "2012-10-17",
"Id": "Policy1556908483700",
"Statement": [
{
"Sid": "Stmt1556908464159",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::11111111111:user/lance"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::zzztest/test2.txt"
},
{
"Sid": "Stmt1556908464159",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::zzztest/test1.txt"
}
]
}
To me the above says, the world can see test1.txt and only my user can see test2.txt. Well I save that, and I can see 1 just fine, 2 I get an error from the public side. But logged in, going to S3 (or the URL), I can click the bucket, I can see the 2 files, but test2 says access denied. So, before I start getting really te
相关内容
- 已提问 10 个月前
