Is there a way to define a S3 bucket policy to enforce standard storage class? I want to prevent users from creating objects with reduced redundancy storage class.
问题:
回答1:
You can now use a condition in an S3 bucket policy to constrain the creation of S3 objects (using PutObject
) to specific storage classes.
The current version of the AWS documentation has an example - Restrict object uploads to objects with a specific storage class.
Suppose Account A owns a bucket and the account administrator wants to restrict Dave, a user in Account A, to be able to only upload objects to the bucket that will be stored with the
STANDARD_IA
storage class. The Account A administrator can accomplish this by using thes3:x-amz-storage-class
condition key as shown in the following example bucket policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "statement1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AccountA-ID:user/Dave"
},
"Action": "s3:PutObject",
"Resource": [
"arn:aws:s3:::examplebucket/*"
],
"Condition": {
"StringEquals": {
"s3:x-amz-storage-class": [
"STANDARD_IA"
]
}
}
}
]
}
Your values for Principal
and Resource
would be specific to your users and S3 bucket(s). The Condition
constraint would need to change to STANDARD
.
回答2:
I'm afraid not, at least it doesn't seem to be documented - given the Amazon IAM policy design, this constraint would need to be covered by a resp. Condition:
The Condition element (or Condition block) lets you specify conditions for when a policy is in effect. [...] Condition values can include date, time, the IP address of the requester, the ARN of the request source, the user name, user ID, and the user agent of the requester. Some services let you specify additional values in conditions; for example, Amazon S3 lets you write a condition using the s3:VersionId key, which is unique to that service. [...] [emphasis mine]
Now, section Amazon S3 Condition Keys for Object Operations within Specifying Conditions in a Policy lacks any reference to the storage class, whereas the semantic sibling s3:x-amz-server-side-encryption
is present already:
When granting the s3:PutObject permission, the bucket owner can add a condition using this key to require the user to specify this header in the request. A bucket owner can grant such conditional permission to ensure that objects the user uploads are saved encrypted.
Given the involved symmetry for these headers (see section System-Defined Metadata within Object Key and Metadata), you might want to simply try s3:x-amz-storage-class
though, maybe you are lucky and it is in 'private beta' already ;)