我如何上傳文件到Amazon S3，而不列出桶

Question

我採用了棱角分明的前端與S3鬥政策文件上傳到S3：

{ 
    "Id": "Policy1499245520254", 
    "Version": "2012-10-17", 
    "Statement": [ 
    { 
     "Sid": "Stmt1499245493674", 
     "Action": [ 
     "s3:*" 
     ], 
     "Effect": "Allow", 
     "Resource": ["arn:aws:s3:::test-dev/*", 
       "arn:aws:s3:::test-dev"], 
     "Principal": "*" 
    } 
    ] 
} 

但是，如果我改變上述政策

{ 
    "Id": "Policy1499245520254", 
    "Version": "2012-10-17", 
    "Statement": [ 
    { 
     "Sid": "Stmt1499245493674", 
     "Action": [ 
     "s3:*" 
     ], 
     "Effect": "Allow", 
     "Resource": ["arn:aws:s3:::test-dev/*", 
       "arn:aws:s3:::test-dev"], 
     "Principal": "*" 
    }, 
    { 
     "Sid": "Stmt1499245517941", 
     "Action": [ 
     "s3:ListBucket" 
     ], 
     "Effect": "Deny", 
     "Resource": "arn:aws:s3:::test-dev", 
     "Principal": "*" 
    } 
    ] 
} 

在哪裏我說：

{ 
     "Sid": "Stmt1499245517944", 
     "Action": [ 
     "s3:ListBucket" 
     ], 
     "Effect": "Deny", 
     "Resource": "arn:aws:s3:::test-dev", 
     "Principal": "*" 
} 

加入遺願清單否認，上傳失敗。任何方式如何我可以上傳文件沒有列出桶。

Answer 1

{ 
    "Version": "2008-10-17", 
    "Statement": [ 
     { 
      "Sid": "", 
      "Effect": "Allow", 
      "Principal": { 
       "AWS": "*" 
      }, 
      "Action": [ 
       "s3:GetObject", 
       "s3:PutObject", 
       "s3:GetObjectACL", 
       "s3:PutObject", 
       "s3:PutObjectAcl", 
       "s3:PutObjectTagging", 
       "s3:PutObjectVersionAcl", 
       "s3:PutObjectVersionTagging" 
      ], 
      "Resource": [ 
       "arn:aws:s3:::test-dev", 
       "arn:aws:s3:::test-dev/*" 
      ] 
     } 
    ] 
} 

我解決了它，只是允許這些權限，顯然這不需要桶列表，並解決了這個問題。

Answer 2

這是因爲s3:ListBucket操作覆蓋了GET Bucket (List Objects)和HEAD Bucket操作。該小桶操作確定桶存在並且您有權限訪問它，它好像是叫上對象的任何行動（如s3:PutObject動作）前。見Specifying Permissions in a Policy。