i want some explain on AWS S3 ACL public-read-write, from the docs:
我希望从文档中对AWS S3 ACL公共读写进行一些解释:
Owner gets FULL_CONTROL. The AllUsers group gets READ and WRITE access. Granting this on a bucket is generally not recommended.
所有者获得FULL_CONTROL。 AllUsers组获得READ和WRITE访问权限。通常不建议在桶上授予此权限。
[...]
[...]
All Users group – Represented by https://acs.amazonaws.com/groups/global/AllUsers. Access permission to this group allows anyone to access the resource. The requests can be signed (authenticated) or unsigned (anonymous). Unsigned requests omit the Authentication header in the request.
所有用户组 - 由https://acs.amazonaws.com/groups/global/AllUsers代表。对该组的访问权限允许任何人访问该资源。请求可以签名(已验证)或未签名(匿名)。无符号请求会在请求中省略Authentication头。
but this mean that every aws account can be read/write my files? or only my IAM user can read/write my files?
但是这意味着每个aws帐户都可以读/写我的文件?或者只有我的IAM用户可以读/写我的文件?
1 个解决方案
#1
1
Look at this document: https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html
请查看此文档:http://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html
Amazon S3 Predefined Groups
Amazon S3预定义组
Amazon S3 has a set of predefined groups. When granting account access to a group, you specify one of our URIs instead of a canonical user ID. We provide the following predefined groups:
Amazon S3具有一组预定义的组。授予对组的帐户访问权限时,您可以指定我们的URI之一而不是规范用户ID。我们提供以下预定义组:
Authenticated Users group – Represented by https://acs.amazonaws.com/groups/global/AuthenticatedUsers. This group represents all AWS accounts. Access permission to this group allows any AWS account to access the resource. However, all requests must be signed (authenticated).
经过身份验证的用户组 - 由https://acs.amazonaws.com/groups/global/AuthenticatedUsers代表。该组代表所有AWS账户。对该组的访问权限允许任何AWS账户访问该资源。但是,所有请求都必须签名(经过身份验证)。
All Users group – Represented by https://acs.amazonaws.com/groups/global/AllUsers. Access permission to this group allows anyone to access the resource. The requests can be signed (authenticated) or unsigned (anonymous). Unsigned requests omit the Authentication header in the request.
所有用户组 - 由https://acs.amazonaws.com/groups/global/AllUsers代表。对该组的访问权限允许任何人访问该资源。请求可以签名(已验证)或未签名(匿名)。无符号请求会在请求中省略Authentication头。
Log Delivery group – Represented by https://acs.amazonaws.com/groups/s3/LogDelivery. WRITE permission on a bucket enables this group to write server access logs (see Server Access Logging) to the bucket.
日志传送组 - 由https://acs.amazonaws.com/groups/s3/LogDelivery表示。对存储桶的WRITE权限使该组能够将服务器访问日志(请参阅服务器访问日志记录)写入存储桶。
With ACL, you just can share your S3 bucket with other AWS Accounts. Who without logged in AWS account, they cannot access your bucket.
使用ACL,您可以与其他AWS账户共享您的S3存储桶。未登录AWS账户的用户无法访问您的存储桶。
If you want both AWS Account and non-AWS Account can access you S3 bucket, you must define S3 Bucket Policy. For example:
如果您希望AWS账户和非AWS账户都可以访问您的S3存储桶,则必须定义S3存储桶策略。例如:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "AllowPublicRead",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::S3-Bucket-name/*"
}
]
}