嗨,我想为我的桶创建一个s3策略,拒绝用户上传不使用aws s3加密或aws kms加密的对象(它必须使用其中一种加密)。这里是策略生成器https://awspolicygen.s3.amazonaws.com/policygen.html
的链接我已经生成了这个策略。
{
"Id": "Policy1631518070654",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1631518063107",
"Action": [
"s3:PutObject"
],
"Effect": "Deny",
"Resource": "arn:aws:s3:::webserver7/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "AES256"
},
"StringNotLike": {
"s3:x-amz-server-side-encryption-aws-kms-key-id": "aws:kms"
}
},
"Principal": "*"
}
]
}
我们可以将政策解释如下....如果对象没有使用aws s3加密ANDAws:kms加密然后拒绝上传。
但是我们不能同时使用这两种加密。所以我希望策略如下:
"如果对象没有使用aws s3加密或Aws:kms加密然后拒绝对象上传。
如果您想要OR,您需要有两个语句:
{
"Id": "Policy1631518070654",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1631518063107",
"Action": [
"s3:PutObject"
],
"Effect": "Deny",
"Resource": "arn:aws:s3:::webserver7/*",
"Condition": {
"StringNotLike": {
"s3:x-amz-server-side-encryption-aws-kms-key-id": "aws:kms"
}
},
"Principal": "*"
},
{
"Sid": "Stmt16315180631072",
"Action": [
"s3:PutObject"
],
"Effect": "Deny",
"Resource": "arn:aws:s3:::webserver7/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "AES256"
}
},
"Principal": "*"
}
]
}
目前还不能添加这种策略。