我想为所有资源防止未加密上传到S3存储桶。我正试图使用S3策略来做到这一点,如下所示:
PolicyS3BucketPolicy:
Type: AWS::S3::BucketPolicy
DependsOn: PolicyS3Bucket
Properties:
Bucket: !Ref PolicyS3Bucket
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Deny
Sid: DenyUnEncryptedObjectUploads
Action: "s3:PutObject"
Resource: "*"
Principal:
AWS: "*"
Condition:
StringNotEquals:
"s3:x-amz-server-side-encryption": "aws:kms"
为了简洁起见,省略了PolicyS3Bucket资源定义。
当我尝试部署我的服务时,我会收到以下错误:
PolicyS3BucketPolicy - Policy has invalid resource (Service: Amazon S3; Status Code: 400; Error Code: MalformedPolicy; Request ID: 5E5PR65Y1JY805Q0; S3 Extended Request ID: hxBAxt2qqqkgMRlF9JS5J0LFJ0EPxHU3mhIjYZ/x1kp+WT5FdlHSKEpY97x0gT2ZE0KXKMqzyKo=; Proxy: null).
如何设置Resource值,以便此策略拒绝所有资源?
我认为问题在于您的S3存储桶策略指示:
Resource: "*"
它的范围应该是实际的bucket,例如:
Resource: "arn:aws:s3:::mybucket/*"
如果您使用的是无服务器框架,或者类似于以下内容:
Resource: arn:aws:s3:::${self:custom.config.myBucketName}/*