如何在不列出存储桶的情况下将文件上传到 Amazon S3

Question

我正在使用带有 S3 存储桶策略的 Angular 前端将文件上传到 S3：

{
  "Id": "Policy1499245520254",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1499245493674",
      "Action": [
        "s3:*"
      ],
      "Effect": "Allow",
      "Resource": ["arn:aws:s3:::test-dev/*",
                "arn:aws:s3:::test-dev"],
      "Principal": "*"
    }
  ]
}

但如果我将上述政策更改为

{
  "Id": "Policy1499245520254",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1499245493674",
      "Action": [
        "s3:*"
      ],
      "Effect": "Allow",
      "Resource": ["arn:aws:s3:::test-dev/*",
                "arn:aws:s3:::test-dev"],
      "Principal": "*"
    },
    {
      "Sid": "Stmt1499245517941",
      "Action": [
        "s3:ListBucket"
      ],
      "Effect": "Deny",
      "Resource": "arn:aws:s3:::test-dev",
      "Principal": "*"
    }
  ]
}

我添加的地方：

{
      "Sid": "Stmt1499245517944",
      "Action": [
        "s3:ListBucket"
      ],
      "Effect": "Deny",
      "Resource": "arn:aws:s3:::test-dev",
      "Principal": "*"
 }

添加bucket listdeny，上传失败。无论如何我可以在不列出存储桶的情况下上传文件。

Answer 1

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:GetObjectACL",
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:PutObjectTagging",
                "s3:PutObjectVersionAcl",
                "s3:PutObjectVersionTagging"
            ],
            "Resource": [
                "arn:aws:s3:::test-dev",
                "arn:aws:s3:::test-dev/*"
            ]
        }
    ]
}

我只是通过允许这些权限来解决它，显然这里不需要存储桶列表并解决了问题。

Answer 2

这是因为s3:ListBucket 操作涵盖了GET Bucket (List Objects) 和HEAD Bucket 操作。 HEAD Bucket 操作确定存储桶是否存在以及您是否有权访问它，这似乎在对对象的任何操作（例如s3:PutObject 操作）之前调用。见Specifying Permissions in a Policy。