我想对 AWS S3 ACL 公共(public)读写进行一些解释,来自 docs :
Owner gets FULL_CONTROL. The AllUsers group gets READ and WRITE access. Granting this on a bucket is generally not recommended.
[...]
All Users group – Represented by http://acs.amazonaws.com/groups/global/AllUsers. Access permission to this group allows anyone to access the resource. The requests can be signed (authenticated) or unsigned (anonymous). Unsigned requests omit the Authentication header in the request.
但这意味着每个 aws 帐户都可以读取/写入我的文件?或者只有我的 IAM 用户可以读/写我的文件?
最佳答案
看这个文档:http://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html
Amazon S3 Predefined Groups
Amazon S3 has a set of predefined groups. When granting account access to a group, you specify one of our URIs instead of a canonical user ID. We provide the following predefined groups:
Authenticated Users group – Represented by http://acs.amazonaws.com/groups/global/AuthenticatedUsers. This group represents all AWS accounts. Access permission to this group allows any AWS account to access the resource. However, all requests must be signed (authenticated).
All Users group – Represented by http://acs.amazonaws.com/groups/global/AllUsers. Access permission to this group allows anyone to access the resource. The requests can be signed (authenticated) or unsigned (anonymous). Unsigned requests omit the Authentication header in the request.
Log Delivery group – Represented by http://acs.amazonaws.com/groups/s3/LogDelivery. WRITE permission on a bucket enables this group to write server access logs (see Server Access Logging) to the bucket.
通过 ACL,您只需与其他 AWS 账户共享您的 S3 存储桶。没有登录AWS账户的人无法访问您的存储桶。
如果您希望 AWS 账户和非 AWS 账户都可以访问您的 S3 存储桶,您必须定义 S3 存储桶策略。 例如:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "AllowPublicRead",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::S3-Bucket-name/*"
}
]
}
关于amazon-web-services - AWS S3 ACL 公共(public)读写 : security concern,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/46400093/