努力创建存储桶策略以列出某些文件类型。具体来说,我想只允许访问图像类型。扩展白名单S3资源
我能创造一个黑名单策略,像这样:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject"
],
"Effect": "Deny",
"Resource": [
"arn:aws:s3:::[my_bucket]/*.exe"
],
"Principal": {
"AWS": "*"
}
}
]
}
白名单未遂#1:
问题:这允许所有类型的,不只是那些上市
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::[my_bucket]/*.jpg",
"arn:aws:s3:::[my_bucket]/*.png",
"arn:aws:s3:::[my_bucket]/*.gif",
],
"Principal": {
"AWS": "*"
}
}
]
}
WHITELIST ATTEMPT#2:
问题:这最终拒绝所有文件
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject"
],
"Effect": "Deny",
"Resource": [
"arn:aws:s3:::[my_bucket]/*"
],
"Principal": {
"AWS": "*"
}
},
{
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::[my_bucket]/*.jpg",
"arn:aws:s3:::[my_bucket]/*.png",
"arn:aws:s3:::[my_bucket]/*.gif",
],
"Principal": {
"AWS": "*"
}
}
]
}
**任何**匹配的拒绝总是拒绝。允许不能否决拒绝。 –