如何在AWS S3上仅在特定路径级别拒绝对象删除

huangapple go评论62阅读模式
英文:

How to deny object deletion only at specific path level on AWS S3

问题

I must prevent my users from deleting objects above a certain level of path.
要防止用户删除某一路径级别以上的对象。

Say that I have the following path structure:
假设我有以下路径结构:

  • lavel0
    • level1
      • level2-A
        • level3-A
          • file1.ext
          • file2.ext
      • level2-B
        • level3-B
          • file1.ext
          • file2.ext

I would like to let my S3 users be able to delete objects only starting from level3* included. So basically they should be able to delete level3-A and level3-B folders but not level2-A and level2-B neither level0 and level1.
我想让我的S3用户只能从level3*及以上的级别开始删除对象。基本上,他们应该能够删除level3-Alevel3-B文件夹,但不能删除level2-Alevel2-B,也不能删除level0level1

Keep in mind I don't know level2* folder names in advance (but I know level0/level1).
请注意,我事先不知道level2*文件夹的名称(但我知道level0/level1)。

I tried with the following policy with no success (it consequence is that nothing is can be deleted from level1) .
我尝试了以下策略,但没有成功(它的后果是无法从level1删除任何内容)。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Sid1",
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::<<my-bucket>>/*"
            ]
        },
        {
            "Sid": "Sid2",
            "Effect": "Deny",
            "Action": [
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::<<my-bucket>>/level0/level1/*/"
            ]
        }
    ]
}

I'm wondering if what I'm trying to do is actually possible.
我在想我是否能够实现我试图做的事情。

英文:

I must prevent my users from deleting objects above a certain level of path.
Say that I have the following path structure:

  • lavel0
    • level1
      • level2-A
        • level3-A
          • file1.ext
          • file2.ext
      • level2-B
        • level3-B
          • file1.ext
          • file2.ext

I would like to let my S3 users be able to delete objects only starting from level3* included. So basically they should be able to delete level3-A and level3-B folders but not level2-A and level2-B neither level0 and level1.
Keep in mind I don't know level2* folder names in advance (but I know level0/level1).

I tried with the following policy with no success (it consequence is that nothing is can be deleted from level1) .

{
    &quot;Version&quot;: &quot;2012-10-17&quot;,
    &quot;Statement&quot;: [
        {
            &quot;Sid&quot;: &quot;Sid1&quot;,
            &quot;Effect&quot;: &quot;Allow&quot;,
            &quot;Action&quot;: [
                &quot;s3:*&quot;
            ],
            &quot;Resource&quot;: [
                &quot;arn:aws:s3:::&lt;&lt;my-bucket&gt;&gt;/*&quot;
            ]
        },
        {
            &quot;Sid&quot;: &quot;Sid2&quot;,
            &quot;Effect&quot;: &quot;Deny&quot;,
            &quot;Action&quot;: [
                &quot;s3:DeleteObject&quot;
            ],
            &quot;Resource&quot;: [
                &quot;arn:aws:s3:::&lt;&lt;my-bucket&gt;&gt;/level0/level1/*/&quot;
            ]
        }
    ]
}

I'm wondering if what I'm trying to do is actually possible.

答案1

得分: 0

不,似乎这是不可能的。

通配符arn:aws:s3:::&lt;&lt;my-bucket&gt;&gt;/level0/level1/*/将匹配:

arn:aws:s3:::&lt;&lt;my-bucket&gt;&gt;/level0/level1/level2-A/

以及

arn:aws:s3:::&lt;&lt;my-bucket&gt;&gt;/level0/level1/level2-A/level-3A/

它仅检查ARN是否以arn:aws:s3:::&lt;&lt;my-bucket&gt;&gt;/level0/level1/开头,并以额外的/结尾。它不指定在level1/和最后一个/之间可能出现什么。

因此,在不知道level2文件夹的名称的情况下,无法指定防止删除较低级文件夹的策略。

英文:

No, it doesn't seem like this is possible.

The wildcard arn:aws:s3:::&lt;&lt;my-bucket&gt;&gt;/level0/level1/*/ will match:

arn:aws:s3:::&lt;&lt;my-bucket&gt;&gt;/level0/level1/level2-A/

and also

arn:aws:s3:::&lt;&lt;my-bucket&gt;&gt;/level0/level1/level2-A/level-3A/

It is merely checking that the ARN starts with arn:aws:s3:::&lt;&lt;my-bucket&gt;&gt;/level0/level1/ and ends with an additional /. It does not specify what might appear between level1/ and the final /.

Therefore, without know the names of the level2 folders, it isn't possible to specify a policy that prevents lower-level folder deletion.

huangapple
  • 本文由 发表于 2023年6月29日 18:51:44
  • 转载请务必保留本文链接:https://go.coder-hub.com/76580352.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定