【发布时间】:2020-04-06 18:25:04
【问题描述】:
我正在配置两个 s3 存储桶之间的复制。但我得到了错误
访问被拒绝:Amazon S3 无法检测是否启用了版本控制 目标存储桶。
目标存储桶位于另一个账户,不同区域。 这是目标存储桶中的存储桶策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::destination",
"arn:aws:s3:::destination/*"
],
"Condition": {
"StringNotLike": {
"aws:userId": [
"AROAS3AHCETXXDF5Z5GVG:*",
"AROAS3AHCETXX2DMH4JPY:*",
"AROAS3AHCEXXX4SNCNTNV:*",
"AROAVJZZXXXXXZBBR7PN6L:*"
]
}
}
},
{
"Sid": "S3ReplicationPolicyStmt1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::XXXXXXXXXXX:root"
},
"Action": [
"s3:GetBucketVersioning",
"s3:GetObjectVersionForReplication",
"s3:PutBucketVersioning",
"s3:ReplicateObject",
"s3:ReplicateDelete",
"s3:PutObjectAcl",
"s3:ObjectOwnerOverrideToBucketOwner"
],
"Resource": [
"arn:aws:s3:::destination",
"arn:aws:s3:::destination/*"
]
}
]
}
我的存储桶是高度机密的,所以我首先拒绝除某些角色之外的所有访问:所以在这种情况下,我也排除了复制角色 ID。
为什么复制角色仍然不允许复制?这个存储桶策略有什么问题? 在上述策略中,我实际上两次授权复制角色。在这两个语句中。
这里是复制 IAM 角色政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:Get*",
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::source",
"arn:aws:s3:::source/*"
]
},
{
"Action": [
"s3:ReplicateObject",
"s3:ReplicateDelete",
"s3:ReplicateTags",
"s3:GetBucketVersioning",
"s3:GetObjectVersionTagging",
"s3:ObjectOwnerOverrideToBucketOwner"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::destination/*"
}
]
}
我尝试删除显式拒绝语句并测试复制,源存储桶获得了版本控制,我没有拒绝访问,但没有复制对象。
【问题讨论】:
标签: amazon-web-services security amazon-s3 bucket