问题
I'm developing a mobile application which will let anyone upload a file to an S3 bucket. I think I'll use the Anonymous Token Vending Machine that is provided by Amazon.
However, I can't see how to write a TokenVendingMachinePolicy.json file that will only allow uploading new files, not overwriting (effectively deleting). I thought allowing just s3:PutObject would be fine, but it appears the s3:PutObject permission allows both. This seems a bit strange, since there's a separate s3:DeleteObject permission, which is useless, since you can just overwrite with 0-length object anyway.
Is there any way to only allow uploading new files? How is this problem usually solved?
回答1:
Unfortunately it's not possible to have a write-once permission. A workaround would be to use versioning on your bucket.
See this answer to a similar question that explains it in detail:
Amazon S3 ACL for read-only and write-once access
来源:https://stackoverflow.com/questions/18157414/amazon-s3-policy-allowing-only-upload-not-overwrite