英文:
How to deny object deletion only at specific path level on AWS S3
问题
I must prevent my users from deleting objects above a certain level of path.
要防止用户删除某一路径级别以上的对象。
Say that I have the following path structure:
假设我有以下路径结构:
- lavel0
- level1
- level2-A
- level3-A
- file1.ext
- file2.ext
- level3-A
- level2-B
- level3-B
- file1.ext
- file2.ext
- level3-B
- level2-A
- level1
I would like to let my S3 users be able to delete objects only starting from level3* included. So basically they should be able to delete level3-A and level3-B folders but not level2-A and level2-B neither level0 and level1.
我想让我的S3用户只能从level3*及以上的级别开始删除对象。基本上,他们应该能够删除level3-A和level3-B文件夹,但不能删除level2-A和level2-B,也不能删除level0和level1。
Keep in mind I don't know level2* folder names in advance (but I know level0/level1).
请注意,我事先不知道level2*文件夹的名称(但我知道level0/level1)。
I tried with the following policy with no success (it consequence is that nothing is can be deleted from level1) .
我尝试了以下策略,但没有成功(它的后果是无法从level1删除任何内容)。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Sid1",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::<<my-bucket>>/*"
]
},
{
"Sid": "Sid2",
"Effect": "Deny",
"Action": [
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::<<my-bucket>>/level0/level1/*/"
]
}
]
}
I'm wondering if what I'm trying to do is actually possible.
我在想我是否能够实现我试图做的事情。
英文:
I must prevent my users from deleting objects above a certain level of path.
Say that I have the following path structure:
- lavel0
- level1
- level2-A
- level3-A
- file1.ext
- file2.ext
- level3-A
- level2-B
- level3-B
- file1.ext
- file2.ext
- level3-B
- level2-A
- level1
I would like to let my S3 users be able to delete objects only starting from level3* included. So basically they should be able to delete level3-A and level3-B folders but not level2-A and level2-B neither level0 and level1.
Keep in mind I don't know level2* folder names in advance (but I know level0/level1).
I tried with the following policy with no success (it consequence is that nothing is can be deleted from level1) .
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Sid1",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::<<my-bucket>>/*"
]
},
{
"Sid": "Sid2",
"Effect": "Deny",
"Action": [
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::<<my-bucket>>/level0/level1/*/"
]
}
]
}
I'm wondering if what I'm trying to do is actually possible.
答案1
得分: 0
不,似乎这是不可能的。
通配符arn:aws:s3:::<<my-bucket>>/level0/level1/*/
将匹配:
arn:aws:s3:::<<my-bucket>>/level0/level1/level2-A/
以及
arn:aws:s3:::<<my-bucket>>/level0/level1/level2-A/level-3A/
它仅检查ARN是否以arn:aws:s3:::<<my-bucket>>/level0/level1/
开头,并以额外的/
结尾。它不指定在level1/
和最后一个/
之间可能出现什么。
因此,在不知道level2文件夹的名称的情况下,无法指定防止删除较低级文件夹的策略。
英文:
No, it doesn't seem like this is possible.
The wildcard arn:aws:s3:::<<my-bucket>>/level0/level1/*/
will match:
arn:aws:s3:::<<my-bucket>>/level0/level1/level2-A/
and also
arn:aws:s3:::<<my-bucket>>/level0/level1/level2-A/level-3A/
It is merely checking that the ARN starts with arn:aws:s3:::<<my-bucket>>/level0/level1/
and ends with an additional /
. It does not specify what might appear between level1/
and the final /
.
Therefore, without know the names of the level2 folders, it isn't possible to specify a policy that prevents lower-level folder deletion.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论