我想限制公众获得我们存储在S3中的一些对象，但显示出按键的同一层的其他对象。例如，假设我要让 bucketname / * 公开可读。但要prevent访问 bucketname / * /隐藏/ * 对于不是EX在IAM pressly获准进入。

I'd like to restrict public access to some objects we have stored in S3, but show other objects in the same hierarchy of keys. For example, assume I want to make bucketname/* publicly readable. But want to prevent access to bucketname/*/hidden/* for any users that are not expressly given access in IAM.

我可以做到这一点就像一只水桶策略：

I can do that with a bucket policy like:

{
  "Id": "Policy123",
  "Statement": [
    {
      "Sid": "Stmt123",
      "Action": [ "s3:GetObject" ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::bucketname/*",
      "Principal": {
        "AWS": [ "*" ]
      }
    },
    {
      "Sid": "Stmt124",
      "Action": [ "s3:GetObject" ],
      "Effect": "Deny",
      "Resource": "arn:aws:s3:::bucketname/*/hidden/*",
      "Principal": {
        "AWS": [ "*" ]
      }
  ]
}

但是，prevents我已经访问隐藏的对象授予任何IAM用户/组。是否有在只匹配未经验证的访问的第二条语句的主要的设置？或者更好的是，有没有办法仅列出的校长的应该不会受政策声明？

But that prevents any IAM users/groups I have granted from accessing the hidden objects. Is there a setting for Principal in the second statement that only matches unauthenticated access? Or better yet, is there a way to list only those Principals that should NOT be affected by a policy statement?

推荐答案

据AWS的支持，这是目前不可能的。任何拒绝政策覆盖匹配（或子集）允许政策，也没有办法拒绝匿名访问而已。

According to AWS support, this is currently not possible. Any Deny policy overrides a matching (or subset) Allow policy and there is no way to deny anonymous access only.

有一个类似的效果可以通过指定用于匹配的所有对象的私人ACL来实现bucketname / * /隐藏/ * ，但就是不够灵活，必须手动应用

A similar effect can be achieved by specifying a private ACL for all objects matching bucketname/*/hidden/*, but that is not as flexible and must be applied manually.