AWS S3 的对象所有权与块公共访问功能的区别

huangapple go评论65阅读模式
英文:

Difference between object ownership and Block Public Access feature of AWS S3

问题

我在我的S3存储桶的权限选项卡中看到了这个设置。

但是,我明确禁用了通过以下方式对存储桶进行的所有与ACL相关的操作:

它们的区别是什么?

英文:

I see this setting in my Permissions tab of an S3 bucket

AWS S3 的对象所有权与块公共访问功能的区别

However, I (though I) had explicitly disabled all ACL-related manipulation of the bucket through this:

AWS S3 的对象所有权与块公共访问功能的区别

What is their difference?

答案1

得分: 1

对象所有权和阻止公共访问是与在AWS S3中管理访问控制相关的两个不同概念。以下是对每个概念的详细解释:

对象所有权:

对象所有权指的是存储在S3存储桶中的对象的所有权。当在S3存储桶中创建对象时,默认情况下,它归创建它的AWS账户所有。对象所有者对该对象拥有完全控制权,并可以管理其访问权限。对象所有者可以授予或撤销其他AWS账户或IAM用户访问该对象的权限:

如果授予了必要的权限,可以在AWS账户之间传输对象的所有权。例如,在组织目的下将对象移动到不同的存储桶或账户中,或者与其他AWS账户共享对象时,这可能会很有用。

阻止公共访问:

阻止公共访问是S3中的一个功能,它有助于防止意外公共访问存储在S3存储桶中的对象。当在存储桶级别启用阻止公共访问时,它会覆盖掉授予存储桶中对象公共访问的任何现有权限或策略。
阻止公共访问提供了四个设置来控制公共访问:

a. 阻止公共ACL: 启用后,将阻止授予公共访问的新访问控制列表(ACL)。

b. 忽略公共ACL: 如果启用,它会忽略对象上的任何公共ACL,并根据存储桶策略阻止访问。

c. 阻止公共策略: 启用后,将阻止授予公共访问的新存储桶策略。

d. 限制公共存储桶: 如果启用,将阻止对整个存储桶以及其中的任何对象的公共访问。

这些设置有助于通过阻止意外公开S3对象来强制执行更高级别的安全性。它确保只有授权的用户或AWS账户才能访问存储在存储桶中的对象。

总结一下,对象所有权是确定哪个AWS账户拥有对象并控制其访问权限的问题,而阻止公共访问是一个功能,它通过覆盖现有的权限和策略来防止意外公开S3对象。

英文:

Object Ownership and Block Public Access are two distinct concepts related to managing access control in AWS S3. Here's a breakdown of each concept:

Object Ownership:

Object Ownership refers to the ownership of objects stored in an S3 bucket. When an object is created in an S3 bucket, it is owned by the AWS account that created it by default. The object owner has full control over the object and can manage its access permissions. The object owner can grant or revoke permissions for other AWS accounts or IAM users to access the object:

Ownership of an object can be transferred between AWS accounts if the necessary permissions are granted. This can be useful, for example, when moving objects between buckets or accounts for organisational purposes or when sharing objects with other AWS accounts.

Block Public Access:

Block Public Access is a feature in S3 that helps prevent accidental public access to objects stored in S3 buckets. When Block Public Access is enabled at the bucket level, it overrides any existing permissions or policies that grant public access to objects in the bucket.
Block Public Access provides four settings to control public access:

a. BlockPublicAcls: When enabled, it blocks new Access Control Lists (ACLs) that grant public access.
b. IgnorePublicAcls: If enabled, it ignores any public ACLs on objects and blocks access based on bucket policies.
c. BlockPublicPolicy: When enabled, it blocks new bucket policies that grant public access.
d. RestrictPublicBuckets: If enabled, it blocks public access to the entire bucket and any objects within it.

These settings help enforce a higher level of security by preventing accidental public exposure of S3 objects. It ensures that only authorized users or AWS accounts can access the objects stored in the bucket.

In summary, object ownership is about determining which AWS account owns an object and controls its access permissions, while Block Public Access is a feature that helps prevent accidental public access to S3 objects by overriding existing permissions and policies.

huangapple
  • 本文由 发表于 2023年7月4日 21:51:21
  • 转载请务必保留本文链接:https://go.coder-hub.com/76613335.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定